The process seems simple: you spit in a cup, send it off to a lab and all of the hidden links that make up who you are come back to you in detailed lab reports. The most sensitive information that unveils your ancestral roots, health data and family tree are locked behind a username and password, embedded into an online system that is safeguarded by the genetic testing company who processed your DNA.

But what happens when there’s a flaw in that system?

Related: Hackers could use your stolen 23andMe DNA data as a weapon

Genetic testing company 23andMe  (ME) – Get Free Report has confirmed that the ancestry data of 6.9 million users has been stolen by hackers. The news comes after the company announced in a court filing submitted to the U.S. Securities and Exchange Commission on Dec. 1 that 0.1% of users (roughly 14,000 customers) were affected by a data breach that took place on Oct. 1

The company claims that the accounts that were affected were using usernames and passwords that were being used for other websites that were “previously compromised.”

“We are working to remove this information from the public domain. As of the filing date of this Amendment, the Company believes that the threat actor activity is contained,” the company said in the filing.

23andMe has also now revealed that after the hacker accessed that small percentage of accounts, the actor was able to also compromise millions of others.

“Using this access to the Credential Stuffed Accounts, the threat actor also accessed roughly 5.5 million DNA Relatives profile files,” said a 23andMe spokesperson in a statement to TheStreet. “Additionally, roughly 1.4M customers participating in the DNA Relatives feature had their Family Tree profile information accessed, which is a limited subset of the DNA Relative profile information.”

The information the hacker was able to access through DNA Relatives accounts includes their relationship labels, percentage of DNA shared with their matched DNA relatives, self-reported location, birth years, family names and anything else that was included in the “Introduce yourself” section of their profile.

Hackers can have an interest in obtaining DNA data for a multitude of reasons. They can use the stolen data to sell it and make a profit on the black market, use it for blackmail, impersonation, or even as a biological weapon. 

Giving away your most private information

A technician handles a DNA sample at a Genesis Healthcare Co. laboratory in Tokyo, Japan, on Wednesday, July 4, 2018. DNA testing at home in Japan is starting to gain traction as more people age and seek answers about their risks for diseases. Photographer: Kiyoshi Ota/Bloomberg via Getty Images

Bloomberg/Getty Images

This is not the first time a genetic testing company has faced a data breach that put millions at risk of having their personal information revealed. In 2018, DNA testing service MyHeritage revealed in a press release that over 92 million users had their usernames and passwords leaked to a private server after a 2017 data breach.

DNA Diagnostics Center also suffered a data breach in 2021, where the social security numbers, payment information and names of over 2.1 million residents nationwide were compromised. The company was forced to pay a $400,000 fine as a result.

The Federal Trade Commission has been cracking down on genetic data testing companies in recent years. In 2019, the FTC issued a warning to sellers who sell these kits to clarify to customers how their information is used, who can view their data in their user profiles and whether or not the data is shared with the pharmaceutical industry or medical researchers.

In June this year, data testing company 1Health.io, formerly known as Vitagene, faced a complaint from the FTC that it “deceived consumers about its privacy and security practices.”

The FTC found that genetic testing firm 1Health.io “left sensitive genetic and health data unsecured, deceived consumers about their ability to get their data deleted, and changed its privacy policy retroactively without adequately notifying and obtaining consent from consumers whose data the company had already collected.”

As a result of the findings, 1Health.io was required to strengthen its privacy and security protections for genetic information and tell third-party contract laboratories to destroy consumer DNA samples that were more than 180 days old.

Simplify the pulse of the market landscape with bite-sized intel from the masters. Real Money Pro is your dynamic financial ally, transforming market insights into strategic moves. Start your membership to elevate your portfolio.