The damage, however, did not stop with the customers who had their accounts accessed. 23andMe allows users to opt into a feature called DNA Relatives.
If a user opts-in to that feature, 23andMe shares some of that user’s information with others.
That means that by accessing one victim’s account, hackers were also able to see the personal data of people connected to that initial victim.
23andMe said in the filing that for the initial 14,000 users, the stolen data “generally included ancestry information, and, for a subset of those accounts, health-related information based upon the user’s genetics.” For the other subset of users, 23andMe only said that the hackers stole “profile information” and then posted unspecified “certain information” online.