Genetic testing company 23andMe announced on Friday that hackers accessed around 14,000 customer accounts in the company’s recent data breach.
In a new filing with the U.S. Securities and Exchange Commission published Friday, the company said that, based on its investigation into the incident, it had determined that hackers had accessed 0.1% of its customer base. According to the company’s most recent annual earnings report, 23andMe has “more than 14 million customers worldwide,” which means 0.1% is around 14,000.
But the company also said that by accessing those accounts, the hackers were also able to access “a significant number of files containing profile information about other users’ ancestry that such users chose to share when opting in to 23andMe’s DNA Relatives feature.”
23andMe did not immediately respond to a request for comment, which included questions on those numbers.
In early October, 23andMe disclosed an incident in which hackers had stolen some users’ data using a common technique known as “credential stuffing,” whereby cybercriminals hack into a victim’s account by using a known password, perhaps leaked due to a data breach on another service.
The damage, however, did not stop with the customers who had their accounts accessed. 23andMe allows users to opt into a feature called DNA Relatives. If a user opts-in to that feature, 23andMe shares some of that user’s information with others. That means that by accessing one victim’s account, hackers were also able to see the personal data of people connected to that initial victim.