Ancestry website 23andMe has confirmed that a recent breach has led to the leak of data belonging to around 6.9 million users.

The data includes things like users' display names, their ancestry reports, profile pictures, and more.

Who was affected by the breach?

Andy Kill, 23andMe's spokesperson, in an email statement to The Verge, said that the breach affected around 5.5 million users who had DNA Relatives enabled. This feature matches users with similar genetic makeups, i.e., it matches people with other members they may share ancestry with.

Another 1.4 million people had data related to their family tree profiles accessed.

In a filing with the Securities and Exchange Commission (SEC), the ancestry website said that "threat actors" used a credential surfing attack to access "a very small percentage" of "Credential Stuffed Accounts" user accounts.

This, as per the Verge, amounts to around 14,000 users. However, using the DNA Relatives feature on these 'credential stuffed accounts', the hackers accessed the additional information from millions of other profiles.

"Based on its investigation, 23andMe has determined that the threat actor was able to access a very small percentage (0.1 per cent) of user accounts in instances where usernames and passwords that were used on the 23andMe website were the same as those used on other websites that had been previously compromised or were otherwise available (the 'Credential Stuffed Accounts')."

"We still do not have any indication that there has been a data security incident within our systems," it said.

The data these 'threat actors' accessed

The first public signs of trouble for 23andMe appeared in October, when a threat actor, as per the SEC filing, posted online a claim to have 23andMe users’ profile information.

At the time, 23andMe confirmed that user information was up for sale on the dark web.

The Vere reports that the 5.5 million DNA Relatives profiles leak includes users who weren't a part of the initial credential stuffing attack.

Leaked data includes information like their display names, predicted relationships with others, the amount of DNA users share with matches, ancestry reports, self-reported locations, ancestor birth locations, family names, profile pictures, etc.

For the remaining 1.4 million users, who also participated in the DNA Relatives feature, their family tree profiles were accessed. This means that information like the display names, relationship labels, birth year, and self-reported locations were accessed.

The company said that it was still in the process of notifying users affected by the breach. Additionally, it now requires two-step verification for new and existing users, users have been to reset their passwords.

"We are in the process of notifying affected customers, as required by law," it said in a blog post.

"We have taken steps to further protect customer data, including requiring all existing customers to reset their password and requiring two-step verification for all new and existing customers. The company will continue to invest in protecting our systems and data."