After admitting hackers stole 0.1 percent of user accounts on their service, about 14,000 users, 23andMe is now stating 6.9 million users had their ancestry data stolen.

On Monday, the DNA statistical ancestry company, 23andMe, began notifying 6.9 million (million with an ‘M’) users that hackers compromised their systems and stole their ancestry.

The size and scope of the compromise are still being investigated. The hack impacts millions of data points affecting millions of people. Wired Magazine estimated a million data points affecting Ashkenazi Jews, hundreds of thousands affecting users of Chinese descent, and a numerable set of “other users” as defined by 23andMe.

Finding Your Relatives Leaked Your Account

Analysts speculate 23andMe’s ‘DNA Relatives’ feature could have been the culprit. 5.5 million leaked accounts were linked to this feature. DNA Relatives is an interactive, opt-in feature which uses your DNA to scan the DNA of other 23andMe users in a bid to find long-lost relatives.

Information including users’ name, birth year, relationship labels, percentage of DNA, and ancestry reports are shared between matches. Another 1.4 million users were impacted through the Family Tree feature.

23andMe Blames Credential Stuffing

23andMe is notifying users of the compromise. They blame credential stuffing for the leak. Credential stuffing is an exploit that uses stolen passwords obtained from another site to be tried and verified on a target website. For example, if you were a user whose credentials were leaked in the Drizly attack, those same credentials could have been used on the 23andMe site if you didn’t change your password on 23andMe.

It’s the Christmas season and now is a great time for thieves and criminals to steal accounts. Make sure you protect yourself online, and keep your usernames, passwords, and bank details secured.

And stop sharing so much of your personal intellectual property online!

-MJ