In a recent announcement, genetic testing company 23andMe revealed that its data breach, initially disclosed in early October, affected a significantly larger number of users than initially reported. The company confirmed that the breach resulted in the personal information of approximately 6.9 million individuals being accessed by hackers.

Hackers gained access to the personal data of approximately 5.5 million users who had opted into 23andMe's DNA Relatives feature. This feature allows customers to share their genetic information with others. The stolen data included individuals' names, birth years, relationship labels, DNA sharing percentages with relatives, ancestry reports, and self-reported locations.

Additionally, 23andMe disclosed that another group of approximately 1.4 million users who had opted into DNA Relatives had their Family Tree profile information accessed. This included display names, relationship labels, birth years, self-reported locations, and information on whether users had chosen to share their data.

It is unclear why 23andMe did not initially disclose these numbers in their first announcement. Consequently, the data breach is now known to impact nearly half of the company's reported 14 million customers.

The data breach came to light in early October when a hacker claimed to have obtained the DNA information of 23andMe users and posted it on a well-known hacking forum. The hacker demanded payment ranging from $1 to $10 for each individual account's data. Later, the same hacker advertised the alleged records of an additional four million people.

TechCrunch discovered that another hacker had already advertised a batch of allegedly stolen 23andMe customer data two months prior. Upon analysis, it was found that some of the leaked data corresponded with genetic information voluntarily published online by hobbyists and genealogists, suggesting its authenticity.

In the initial disclosure, 23andMe attributed the data breach to customers reusing passwords, which allowed hackers to gain unauthorized access to accounts using publicly known passwords obtained from other companies' data breaches.

Due to the nature of the DNA Relatives feature, where users are matched with their relatives, hackers accessing one individual's account were able to view personal data for both the account holder and their relatives. This increased the total number of affected 23andMe users.

23andMe has assured affected customers that it has implemented additional security measures to prevent such breaches in the future. However, the incident raises concerns about the security of personal genetic information and emphasizes the importance of strong account credentials and data privacy.

As the investigation into the breach continues, 23andMe is working closely with cybersecurity experts to determine the full extent of the damage and provide necessary support to affected users.