23andMe said that the profile information of some customers was accessed without their permission by a third party.
The South San Francisco, Calif.-based human genetics company said in a regulatory filing on Tuesday that there was no indication of a data security incident in its systems. 23andMe
also said there wasn’t anything to suggest that it was the source of the credentials used in the cyberattack.
The company said it believed a third party was able to access accounts because some of its customers’ usernames and passwords were the same as those used on other websites that had been previously compromised. The company said the information that was accessed is created by users, who have to option to share it through the company’s DNA Relatives feature.
23andMe said it is working to mitigate the impact of the incident and was investigating the scope of the attack. The company has hired forensic experts to help with the investigation.
The company said it was unable to predict the costs associated with the incident.