23andMe admitted that the recent data breach gave hackers access to 6.9 million users' DNA data.
23andMe's Credential Stuffing Attack
Almost two months after the credential stuffing attack, 23andMe finally completed its investigation, with the assistance of third-party forensics experts. In an emailed statement to The Verge, a company spokesperson disclosed the total damage of the incident.
According to 23andMe spokesperson Andy Kill, around 5.5 million users who enabled their DNA Relatives feature are affected. A significant number of files were also accessed through the feature.
In addition, there are also 1.4 million users whose family profiles were accessed. A significant number of files were also accessed through the Relatives feature.
As per Kill, the company remains firm that there is no indication yet that the source of the account credential used in the attack came from 23andMe.
23andMe Moving Forward Breaching Incident
As part of concluding its investigation, the company has begun notifying the millions of affected customers, as mandated by the law. More so, 23andMe assured that it will continue to invest in protecting its system and data to prevent a repeat of the incident.
"We have taken steps to further protect customer data, including requiring all existing customers to reset their password and requiring two-step verification for all new and existing customers," the company wrote.
23andMe first confirmed the attack in October after user data have been spotted on hacker forums. The biotechnology company is known for its DNA genetic testing and ancestry detection.