Skip to main content

6.9 million customers impacted by 23andMe hack: company


DNA testing company 23andMe has confirmed that a "threat actor" was able to access 6.9 million customers' profiles in an October data breach.

On Tuesday, the company said its investigation, assisted by third-party forensic experts, into how millions of "pieces of data" were stolen from 23andMe had concluded and that it was notifying customers that some of their data was accessed.

The DNA testing company uses information like saliva to create profiles on its dashboard and connect people worldwide.

In October, the company notified several customers of a breach into its "DNA Relatives" feature and said it was investigating the matter, Reuters reported.

Investigators concluded that the threat actor accessed roughly 5.5 million DNA Relatives profile files and roughly 1.4 million customers participating in the DNA Relatives feature had their "Family Tree" profile information accessed, "which is a limited subset of the DNA Relative profile information," a company spokesperson told in an email.

The threat was able to access a "very small" number of user accounts — 14,000 — when passwords and usernames that were on the 23andMe website were the same as on other websites that were previously compromised, the spokesperson added.

Profiles include information such as a customer’s display name, how often the user logs in, their relationship labels, their predicted relationship and the percentage of DNA shared with their DNA Relative matches, the company said.

They also may include a user’s ancestry reports and matching DNA segments, self-reported location, ancestor birth locations, family names, profile picture, birth year, a web link to a family tree they created, along with anything else they may have included in the “Introduce yourself” section of their profile.

Family Tree profiles, which are more limited, include name, relationship labels and could include birth year and self-reported location.

In a Dec. 1 email to, 23andMe said it had taken steps to "further protect customer data," including all users resetting their password and requiring a two-step verification for all new and existing profiles.

"The company will continue to invest in protecting our systems and data," a spokesperson for 23andMe said. Top Stories

Stay Connected