23andMe, a genetic testing company, announced Monday that hackers had accessed the data of approximately 6.9 million individuals. This is a much larger number than previously admitted by the company.
This is the result from an investigation launched by 23andMe in October after at least one online list of people identified by the site as with Ashkenazi Jewish heritage was published.
TechCrunch was the first to report on this number.
A spokesperson from the company stated that hackers were able to access some customer accounts by using reused passwords. Hackers were able to take advantage of 23andMe’s features, which provide users with significant information.
The spokesperson stated that hackers used the first tactic of credential stuffing to gain access to accounts for about 0.1% users at 23andMe. The hackers then looked for users who were enrolled in DNA Relatives which allows them to relax their privacy restrictions.
DNA Relatives allows users to see important information about their distant relatives, such as their DNA information, ZIP Code, birth year, and names of family members, among others.
The hackers used these tactics to gain access to the profile information of approximately 6.9 million DNA Relatives members, or nearly half of those 14 million users who had enrolled in the service.
23andMe doesn’t expect any major financial consequences from the incident, despite the theft of data. In an updated Securities and Exchange Commission report on the breach, published Saturday, 23andMe said that it expects only to lose $1-$2million in “one-time expenses” related to the incident.