Some 6.9 million 23andMe customers had their data compromised after an anonymous hacker accessed user profiles and posted them for sale on the internet earlier this year, the company said on Monday. The compromised data included user ancestry data as well as, for some users, health-related information based on their genetic profiles.
The hacker appeared to use what’s known as credential stuffing to access customer accounts, logging into individual 23andMe accounts by using passwords that had been recycled and used for other websites that were previously hacked. The company said there was no evidence of a breach within its own systems.
Since the hack, the company announced that it will require two-factor authentication in order to protect against credential-stuffing attacks on the site.