Israel-based genealogy and DNA testing company MyHeritage has apparently suffered a data breach that resulted in the compromise of email addresses and hashed passwords of all 92+ million of its users.
MyHeritage data breach
The company’s Chief Information Security Officer Omer Deutsch revealed on Monday that an unnamed security researcher found a file named myheritage containing email addresses and hashed passwords on a private server outside of MyHeritage.
The researcher downloaded the file and sent it to the company for review. It didn’t take long for them to confirm that the user data contained in it came from their servers.
“We determined that the file was legitimate and included the email addresses and hashed passwords of 92,283,889 users who had signed up to MyHeritage up to and including Oct 26, 2017 which is the date of the breach,” Deutsch explained.
“MyHeritage does not store user passwords, but rather a one-way hash of each password, in which the hash key differs for each customer. This means that anyone gaining access to the hashed passwords does not have the actual passwords.”
He did not mention the exact hashing method, but it seems that the company is relatively confident that whoever stole the info won’t be able to use it, as they did not force a password reset on users.
Deutsch also shared that no other related to MyHeritage was found on that private server.
“Since Oct 26, 2017 (the date of the breach) and the present we have not seen any activity indicating that any MyHeritage accounts had been compromised,” he noted. “We believe the intrusion is limited to the user email addresses. We have no reason to believe that any other MyHeritage systems were compromised.”
The company does not store credit card information, and other types of sensitive data such as family trees and DNA data are stored by MyHeritage on segregated systems and they include added layers of security.
It is still unknown whether an attacker has managed to breach the company’s defenses or a malicious insider has managed to exfiltrate the data.
MyHeritage has called in an outside cybersecurity firm to help investigate and determine the scope of the intrusion and to help them beef up security.
They’ve also informed the relevant authorities, including European regulators, as the newly implemented EU General Data Protection Regulation (GDPR) mandates that companies must disclose security incidents that may involve data of EU citizins within three days of finding out – or face huge fines.
Deutsch advised all users to change their passwords (and make it strong and unique) and to take advantage of the two-factor authentication feature they will soon make available.