Email addresses and hashed passwords of more than 92 million MyHeritage users were exposed to a cybersecurity breach on Oct. 26, 2017, the popular genealogy company reported on Monday, June 4, 2018.
MyHeritage said it only learned of the breach earlier that day — more than seven months after the fact — when an unidentified “security researcher” messaged the company’s chief information security officer. The researcher said they found a user data file on a private server and passed on a copy of the file.
MyHeritage, which allows users to build family trees and search their DNA for clues to their ancestry, immediately reported the breach in a blog post, writing:
Our information security team received the file from the security researcher, reviewed it, and confirmed that the content was from MyHeritage and included all email addresses of users who had signed in to MyHeritage up to October 26, 2017, and their hashed passwords.
The post went on to explain that the company does not store user passwords, just a one-way hash of each password, and the hash key, known as salt, is different for each user. Having a hashed password does not mean that the real password is revealed. Nevertheless, the company recommends that all users change their password “for maximum security”.
So far, MyHeritage is optimistic that the damage from the breach was limited. The company said it appears that email addresses were the only data affected and there is no indication that the data was used for any malicious purpose. It also noted that it does not store credit card information and relies on third-party billing companies. And other sensitive information, such as DNA data and family trees, is stored separately from email addresses and has additional layers of security.
Ars contacted MyHeritage to ask why it hadn’t discovered the first breach and how the breach could have happened. We also asked for more information about the unidentified security researcher and where the stolen data was found. Rafi Mendelsohn, MyHeritage’s director of PR and social media, responded by email, saying only, “We are investigating that now and plan to post updates to the blog in the coming days.”
The discovery of the breach follows news that police have used another genealogy site to track down a long-sought suspect in the Golden State Killer case. While researchers used publicly available genetic data in that case, it led to widespread security and privacy concerns around such ancestry-tracking and DNA-testing sites, which have exploded in popularity recently.
To quell the fears among its users, MyHeritage says it has taken a number of steps. These include establishing an “Information Security Incident Response Team”, creating a 24/7 customer support line and working to improve security, including accelerating a two-factor authentication feature.