23andMe told BleepingComputer that the data was obtained through credential stuffing attacks to breach customer accounts. Using these limited numbers of accounts, the threat actors used the ‘DNA Relatives‘ feature to scrape millions of individuals’ data.
In a recent update, 23andMe told BleepingComputer that a total of 6.9 million people were impacted by the breach — 5.5 million through the DNA Relatives feature and 1.4 million people through the Family Tree feature.
Emails sent to customers about this change state that users have up to 30 days of receiving the email notification to notify 23andMe at [email protected] that they disagree with the new terms.
Those who send an email disputing the update will remain on the previous Terms of Service.