In a recent statement, 23andMe, a prominent genetic testing company, has confirmed that a data breach has resulted in the leak of user information belonging to approximately 6.9 million individuals. The breach, which occurred through a credential stuffing attack, has raised concerns regarding the security measures implemented by the company.

According to Andy Kill, a spokesperson for 23andMe, around 5.5 million users who had enabled the DNA Relatives feature, which matches individuals based on their genetic makeup, were affected by the breach. Additionally, approximately 1.4 million people had their family tree profiles accessed by the attackers.

The company, in a filing with the Securities and Exchange Commission (SEC) and an update to its blog post, acknowledged that a threat actor gained unauthorized access to 0.1 percent of user accounts, which corresponds to roughly 14,000 individuals. Using these compromised accounts, the hackers exploited the DNA Relatives feature, allowing them to access additional information from millions of other profiles.

Despite the magnitude of the breach, 23andMe maintains that there is no evidence of a data security incident within their systems or any indication that the account credentials used in the attack originated from their platform. This statement contradicts the fact that the attackers now possess information from 6.9 million users, highlighting potential vulnerabilities within the company's security infrastructure.

The first indications of a security issue emerged in October when 23andMe confirmed reports of user information being offered for sale on the dark web. The genetic testing site subsequently launched an investigation into a hacker's claim of leaking 4 million genetic profiles, including those of individuals in Great Britain and affluent individuals residing in the U.S. and Western Europe.

Of the leaked data, the 5.5 million DNA Relatives profiles included users who were not targeted in the initial credential stuffing attack. This compromised information encompasses display names, predicted relationships with others, the amount of shared DNA with matches, ancestry reports, self-reported locations, ancestor birth locations, family names, profile pictures, and more.

The remaining 1.4 million users who participated in the DNA Relatives feature had their family tree profiles accessed. While this type of access does not include the percentage of DNA shared with potential relatives or matching DNA segments, it does reveal display names, relationship labels, birth years, and self-reported locations.

In response to the breach, 23andMe has initiated the process of notifying the affected users. In addition, the company has urged users to reset their passwords and implemented mandatory two-step verification for both new and existing accounts, which was previously optional.

This breach highlights the importance of robust privacy and security measures in genetic testing services. As the investigation continues and affected users are notified, it remains critical for companies like 23andMe to enhance their safeguards to protect user data and prevent similar incidents in the future.