Recommended: Listen to this story (00:24 - 06:37):

The Story: The user base for 23andMe, the biotech and personal genomics company, was hacked in October. Last week, 23andMe announced that the personal data of around 14,000 of its customers was compromised.

Although of course not ideal, that seems like a pretty small number, right? Only 0.1% of the company’s users? Well, 23andMe also reported that the hackers were able to interact with “a significant number of files containing profile information about other users’ ancestry.”

How significant is the number of files? About 6.9 million, according to TechCrunch.

In an email to TechCrunch, 23andMe’s spokesperson confirmed that, “hackers accessed the personal information of about 5.5 million people who opted-in to 23andMe’s DNA Relatives feature.” The stolen data included user’s names, birth years, DNA percentages with relatives, ancestry reports and self-reported location.

Another group of about 1.4 million 23andMe users who had opted-in to 23andMe’s DNA Relatives tool also “had their Family Tree profile information accessed.” Hackers would have been able to extract display names, relationship labels, birth year, and self-reported location from these 1.4 million profiles.

23andMe did not mention the 5.5 million or 1.4 million accounts accessed in its official disclosure of the extent of the hack last week, but did update its site yesterday at 2:45pm with the “additional details” of those numbers, which total about half of the site’s entire user base.

According to 23andMe’s disclosure, the company does not have “any indication that there was a data security incident within our systems, or that 23andMe was the source of the account credentials used in these attacks.” The company contends that the hack was carried out through a process called credential stuffing, where usernames and passwords compromised from other websites were used to hack accounts.

Expert Take: Michael Cortez, partner at YL Ventures, explains what exactly the hackers use this data for:

“Most of the time these kinds of attacks are done to get people’s privileged information, usernames and passwords, that can then be used in what is called credential stuffing attacks… a lot of people re-use the same username and password in multiple sites, so if you had an account with 23andMe, maybe you also use the same username and password for your bank account.”

Cortez explains that the headlines of this story may sound worse than they really are, however, as hackers only stole digital data, not physical DNA:

*Stay informed about the three biggest stories in venture capital and tech news every weekday morning. 2-min reads only.