The company says the 23andMe data breach affects 6.9 million profiles

Hackers, using old passwords from customers of genetic testing company 23andMe, accessed personal information from about 6.9 million profiles, which in some cases included lineage trees, birth years and geographic locations, the company said Monday.

In October, a hacker posted online claiming that he had 23andMe users’ personal information, the company wrote in a letter. Securities and Exchange Commission disclosure Friday.

“We are not aware of any reports of inappropriate use of data following the leak,” a 23andMe spokeswoman said Monday.

The hackers, using old passwords used by 23andMe customers at other hacked sites, were initially able to compromise about 14,000 profiles — or 0.1 percent — of 23andMe user accounts, the company said in an SEC filing.

The company spokeswoman said hackers would be able to access anything available in those 14,000 profiles, including information related to health and ancestry.

The hack also opened the door to millions of other customer profiles — about half of 23andMe customers — who wanted to use 23andMe to connect with those with close DNA matches, she said. Users can sign up for a feature called DNA Relatives, where they can provide specific information to others at 23andMe who may have a close DNA match.

The hackers were able to access information from 5.5 million DNA relatives’ profiles, which includes their display name, how recently they logged into their account, the percentage of shared DNA with their DNA relatives and their expected relationship with that person, according to a 23andMe statement. It may also include self-reported information such as geographic location, year of birth, family tree, and any photos they have uploaded.

The hackers also accessed family tree profile information for approximately 1.4 million other customers participating in the DNA Relatives feature, including display names and relationship labels. The company said the information may also include year of birth and geographic location if the user chooses to share that data.

23andMe is currently working to notify all affected customers, as required by law. The spokeswoman said there was no timeline for when everyone would be notified.

The company is asking all customers to change their current password and set up two-step verification, according to a statement from the company 23andMe website.

The hack came as no surprise to Ramesh Srinivasan, a professor in the Department of Information Studies at UCLA, as such events have become increasingly common. He added that it is always possible for information to be stolen when it is provided to a third party.

“Should we provide highly personal and intimate data to an organization that, by and large, has strong loyalty to its investors and boards?” He said.