Profile information of some 23andMe customers reportedly recently started appearing on a dark web forum often used by hackers.
That happened last week, with bad actors offering compilations of the information for a price, according to NBC News and other outlets. Names, birth years, genders, ancestry and certain other non-DNA profile information were reportedly among the details that got published.
In a Friday blog post, 23andMe said the bad actor may have "accessed 23andMe.com accounts without authorization and obtained information from certain accounts, including information about users’ DNA Relatives profiles, to the extent a user opted into that service."
The bad actor did so "in instances where users recycled login credentials — that is, usernames and passwords that were used on 23andMe.com were the same as those used on other websites that have been previously hacked."
The cybersecurity industry commonly refers to that tactic as credential stuffing.
One tranche of 23andMe profile information consisted of people that the poster said had Ashkenazi Jewish ancestry, according to NBC News. That list reportedly had about 1 million data entries.
"23andMe is committed to providing you with a safe and secure place where you can learn about your DNA knowing your privacy is protected," 23andMe also said in the blog post. "We do not have any indication at this time that there has been a data security incident within our systems, or that 23andMe was the source of the account credentials used in these attacks."
The California-based company, founded in 2006, said it conducts routine monitoring and auditing of its systems "to ensure that your data is protected." It said it has urged multifactor authentication among its users for years, a method it reiterated Friday that customers should take advantage of.
23andMe’s overall customer base amounts to over 14 million, according to its website.
The optional DNA Relatives feature lets users "find and connect with genetic relatives who are also 23andMe users participating in this feature," 23andMe explained on its website. When those using the feature have matched, they can see the display names, sex, profile pictures, predicted relationship and certain other information about each other.
The value of 23andMe on a market capitalization basis hovered around $382.42 million as of Monday afternoon, with its shares experiencing a roughly 5% decline.