Genetics firm 23andMe has confirmed that some of its user data were stolen in a credential-stuffing attack, Bleepingcomputer reports.

Credential stuffing is a type of cyberattack where hackers use stolen login credentials to gain access to online accounts. Hackers often obtain these stolen credentials from data breaches that have occurred at other companies.

23andMe said that the stolen data may include users’ names, locations, birthdays, sex, photos, and genetic ancestry results. The company has notified all affected users and is offering them free credit monitoring and identity theft protection services.

23andMe is recommending that all users change their passwords and enable two-factor authentication (2FA) on their accounts. 2FA adds an extra layer of security to online accounts by requiring users to enter a code from their phone in addition to their password.

As many as 7 million accounts may be in the sale, PCMag reported on Wednesday, citing a post from Dark Web Informer that shared screenshots of another now-deleted hacker forum post. That’s roughly half the total number of users on 23andMe’s platform. According to ArsTechnica, hackers claimed that 23andMe’s CEO knew about the leaked data two months prior, but didn’t disclose the incident.

Buy Me A Coffee

Meanwhile, 23andMe has tweeted that they have not identified any unauthorized access to their systems so far.

24 Bugs in Chinese Biometric Devices Can Compromise Data