23andMe, the popular DNA testing company, has launched an investigation after client information was listed for sale on a cybercrime forum this week.

On Oct. 1, a post was published on the forum with a link to a sample of allegedly “20 million pieces of data” from the genetic testing company, claiming that it was “the most valuable data you’ll ever see.” The first leak included 1 million lines of data, but on Oct. 4, the threat actor began offering bulk data profiles ranging from $1 to $10 per account in batches of 100, 1,000, 10,000, and 100,000 profiles. 

The information leaked in the breach includes names, usernames, profile photos, gender, birthdays, geographical location, and genetic ancestry results. 

23andMe has confirmed that the data is legitimate and stated that “the threat actors used exposed credentials from other breaches to access 23andMe accounts and steal the sensitive data,” meaning that recycled login credentials accessed from other cyber incidents were used to gain access to accounts with the DNA company.

According to other reports of the breach, many of the compromised accounts were those that had opted into the “DNA Relatives” feature available on the 23andMe platform. The threat actor accessed a limited number of accounts and “was able to scrape data associated with potential relatives,” company officials said. 

The scope of the breach remains unclear, and it is unknown whether the threat actors have been in contact with 23andMe directly.