In a Friday SEC filing providing an update on its investigation of a recent security incident (that it will not call a breach, based on justifications that remain unclear), 23andMe says a bad actor was able to access 0.1 percent of the company’s accounts through credential stuffing. According to TechCrunch’s estimates, that 0.1 percent figure translates to around 14,000 accounts.

However, those accounts were used to access a “significant number of files containing profile information about other users’ ancestry” that users share when opting in to its DNA Relatives feature. How many is “significant”? 23andMe didn’t say.