Genetics research company 23andMe is requiring customers to change their passwords following a data breach that left millions of accounts susceptible to hackers.

In an email sent to customers on Oct. 10, 23andMe confirmed reports that hackers had obtained profile information including names, locations and genetic ancestry information of an unspecified number of users.

The email stated that there was no evidence that the leak had come from within 23andMe’s own systems. A spokeswoman for the company told The Washington Post hackers had likely used a technique called “credential stuffing,” wherein hackers obtain username and password combinations used on other sites and use those same login credentials to access different accounts.

According to The Washington Post, the hacker responsible for the breach offered the data for sale on several underground online forums and said they had a large database available of users with Ashkenazi Jewish ancestry.

Fox News reported that the hacker also claimed to have data from celebrities including Elon Musk and Mark Zuckerberg, although that has not been confirmed.

The data included in the breach did not include all the information included in a user’s profile, but came specifically from users who had opted to share information with their genetic relatives in 23andMe’s DNA Relatives feature.

23andMe has approximately 14 million users, and more than half have made their data visible to relatives, per The Washington Post.

23andMe’s genetic testing kits include options for ancestry breakdowns, traits, health predisposition and carrier reports. The data leaked did not include genomic information, but did contain genetic ancestry results.

In the email to their customers, 23andMe stated they had enlisted the help of law enforcement and forensic experts in order to investigate the hack.

What should users do about the 23andMe hack?

The company recommended that all users, even those who had not opted in to the DNA Relatives sharing feature, should take steps to protect their information. Here’s what you can do.

  • Reset your password. Pick one that is difficult to guess and is unique to 23andMe, meaning you do not use that password for any other account.
  • Add two-step verification to your account.
  • If you use Google or Apple to log in, protect that account by enabling multi-factor authentication.

These steps can and should be used on any accounts you have in order to protect your information and safeguard from fraud and identity theft.