More particulars are rising a couple of data breach the genetic testing company 23andMe first reported in October. But as the corporate shares extra info, the state of affairs is turning into even murkier and creating higher uncertainty for customers trying to know the fallout.

23andMe mentioned originally of October that attackers had infiltrated a few of its customers’ accounts and piggybacked off of this entry to scrape private information from a bigger subset of customers by means of the corporate’s opt-in, social sharing service often called DNA Relatives. At the time, the corporate did not point out what number of customers had been impacted, however hackers had already begun promoting information on prison boards that gave the impression to be taken from no less than 1,000,000 23andMe customers, if no more. In a US Securities and Exchange Commission filing on Friday, the corporate mentioned that “the threat actor was able to access a very small percentage (0.1 %) of user accounts,” or roughly 14,000 given the corporate’s recent estimate that it has greater than 14 million prospects.

Fourteen thousand is lots of people in itself, however the quantity did not account for the customers impacted by the attacker’s data-scraping from DNA Relatives. The SEC submitting merely famous that the incident additionally concerned “a significant number of files containing profile information about other users’ ancestry.”

On Monday, 23andMe confirmed to TechCrunch that the attackers collected the private information of about 5.5 million individuals who had opted in to DNA Relatives, in addition to info from an extra 1.4 million DNA Relatives customers who “had their Family Tree profile information accessed.” 23andMe subsequently shared this expanded information with WIRED as well.

From the group of 5.5 million people, hackers stole display names, most recent login, relationship labels, predicted relationships, and percentage of DNA shared with DNA Relatives matches. In some cases, this group also had other data compromised, including ancestry reports and details about where on their chromosomes they and their relatives had matching DNA, self-reported locations, ancestor birth locations, family names, profile pictures, birth years, links to self-created family trees, and other profile information. The smaller (but still massive) subset of 1.4 million impacted DNA Relatives users specifically had display names and relationship labels stolen and, in some cases, also had birth years and self-reported location data affected.

Asked why this expanded information wasn’t in the SEC filing, 23andMe spokesperson Katie Watson tells WIRED that “we are only elaborating on the information included in the SEC filing by providing more specific numbers.”