23andMe notifies customers of data breach into its 'DNA Relatives' feature

Attendees visit the 23andMe booth at the RootsTech annual genealogical event in Salt Lake City

By Zeba Siddiqui

SAN FRANCISCO (Reuters) - Genetics testing company 23andMe on Tuesday sent emails to several customers to inform them of a breach into the "DNA Relatives" feature that allowed them to compare ancestry information with users worldwide.

After a hacker advertised millions of "pieces of data" stolen from 23andMe on an online forum this month, the company had said it was working with federal law enforcement and forensic experts to investigate it.

In the new emails, a copy of which was seen by Reuters, 23andMe told customers there was a breach of one or more accounts connected to theirs through the "DNA Relatives" feature. That feature allows users around the world to connect and share their personal data including relationship labels, ancestry reports and matching DNA segments, location, birth year and family names, among other things.

"There was unauthorized access to one or more 23andMe accounts that were connected to you through DNA Relatives," the company told customers in the email on Tuesday. "As a result, the DNA Relatives profile information you provided in this feature was exposed to the threat actor."

23andMe provides DNA testing that helps users learn more about their ancestry. Since news of the hack, many customers have expressed worries their ethnicity and other sensitive information could be used against them if leaked. A U.S. lawmaker last week sought more detail on the leaks.

Several users on social media on Tuesday said they got the email, but it was unclear how many customers had been informed. 23andMe spokeswoman Katie Watson declined to comment, citing its ongoing probe, and referred to the blog where the company said on Oct. 20 that it was temporarily disabling features in the "DNA Relatives" to protect user privacy.

Earlier, the company had said hackers may have used credentials leaked from other websites to breach 23andMe accounts - a technique known as 'credential stuffing'. It advised users change their login information and enable two-factor authentication to prevent compromise.

(Additional reporting by Alexandra Ulmer in San Francisco; Editing by David Gregorio)