Hackers have accessed the personal information of users of 23andMe, a genetic testing company.
In a filing with the Securities and Exchange Commission, the company confirmed that the attack took place Oct. 1. 23andMe noted that the "threat actor" was able to access accounts of users who had the same login as they did on websites that were previously compromised.
The company said the information accessed "varied by user account, and generally included ancestry information, and, for a subset of those accounts, health-related information based upon the user’s genetics." In addition, the company said the hackers were able to access a "significant number of files containing profile information about other users’ ancestry that such users chose to share when opting in to 23andMe’s DNA Relatives feature."
In all, about 7 million profiles were compromised, The New York Times reported.
23andMe said it is in the process of notifying the impacted users about the incident. In the meantime, the company said it's taken steps to protect its users' data further, including requiring them to reset their passwords and use a two-step verification process.
The company notes that it has been sued in different federal and state courts as a result of the incident. It expects the breach to cost the company up to $2 million.
Drugmaker pays 23andMe $20 million for access to user DNA information
GSK Plc and 23andMe are expanding their partnership to give the drugmaking company access to the genetic company's database.