A 23andMe DNA kit is arranged on a table in Dobbs Ferry, New York

23andMe user data targeting Ashkenazi Jews leaked online

Hackers have compiled a giant apparent list of people with Ashkenazi Jewish ancestry after taking that information from the genetic testing service 23andMe, which is now being shared on the internet.

A database that has been shared on dark web forums and viewed by NBC News has a list of 999,999 people who allegedly have used the service. It includes their first and last name, sex, and 23andMe’s evaluation of where their ancestors came from. The database is titled “ashkenazi DNA Data of Celebrities,” though most of the people on it aren’t famous, and it appears to have been sorted to only include people with Ashkenazi heritage.

NBC News was able to verify the data of two 23andMe users in the breach as authentic.

“Crazy, this could be used by Nazis,” one person who appears in the database said.

The company is still investigating the incident, but is treating the leak as authentic. In an emailed statement, a 23andMe spokesperson said the company believes it wasn’t hacked per se. Instead, it believes that the hackers simply gained some users’ passwords that had been hacked and leaked from other sites, then exploited the fact that 23andMe can give users vast access to each others’ genetic information.

A user on a popular hacker forum had claimed to have made a larger database of users for sale earlier this week. It’s unclear if whoever compiled the list to only include Ashkenazi heritage is the same person or group who initially made it for sale.

23andMe tests users’ genetic makeup by having them spit in a tube and processing their DNA. The company sorts people into dozens of types of human “populations“ and tells them which ones they match most closely with. The list appears to be a random sample of hundreds of thousands of people for whom Ashkenazi Jewish is at least in their top three.

Read More:   Serena Williams has a 2-book deal, starting with an 'intimate' and 'open-hearted' memoir

A popular option available to the company’s 14 million users, called DNA Relatives, allows any account to search for others who may be even a distant genetic match. A single account can see the accounts of thousands of others. 23andMe believes that the hackers simply recycled some users’ passwords — it isn’t clear how many — to scrape the list of people it had labeled as having Ashkenazi heritage.

“We are taking this issue seriously and will continue our investigation to confirm these preliminary results,” the statement said. 

Kevin Collier

Kevin Collier is a reporter covering cybersecurity, privacy and technology policy for NBC News.

Donna Mendellcontributed.