Genetic testing company 23andMe said Monday that hackers were able to access the data of about 6.9 million people, far more than the company previously acknowledged.
The finding is the result of an investigation 23andMe launched in October, after at least one list of people whom the site identified as having Ashkenazi Jewish ancestry was posted online.
The number of users affected was first reported by TechCrunch.
A spokesperson for the company said the hackers gained access to some customer accounts through reused passwords. The hackers were then able to exploit some 23andMe features that give users significant information about each other.
Hackers used that first tactic, called credential stuffing, to first gain access to about 0.1% of 23andMe users’ accounts, the spokesperson said. From there, they looked for customers who had enrolled in a program called DNA Relatives, which loosens a user’s privacy restrictions.
DNA Relatives lets users who may be distantly related see significant user information about each other, including their ancestry, DNA information, ZIP code, birth year and family member names, among other information.
Through those tactics, the hackers were able to see profile information of about 6.9 million DNA Relatives users, nearly half of the roughly 14 million people who have enrolled in the program.
Despite the data theft, 23andMe does not expect a major financial fallout from the incident. In a Securities and Exchange Commission filing about the breach updated Saturday, the company said it only expects to lose between $1-$2 million in “onetime expenses related to the incident.”