Company learned of the attack when a security researcher sent a data file.
Email addresses and hashed passwords of more than 92 million MyHeritage users were exposed in a cybersecurity breach on October 26, 2017, the popular genealogy company reported Monday, June 4, 2018.
MyHeritage said that it only learned of the breach earlier that day—more than seven months after the fact—when an unidentified “security researcher” sent the company’s chief information security officer a message. The researcher said they had found a file containing users’ data on a private server and passed a copy of the file along.
MyHeritage, which allows users to set up family trees and probe their DNA for clues about their ancestry, promptly reported the breach in a blog post, writing:
Our Information Security Team received the file from the security researcher, reviewed it, and confirmed that its contents originated from MyHeritage and included all the email addresses of users who signed up to MyHeritage up to October 26, 2017, and their hashed passwords.
The post went on to explain that the company does not store user passwords, only a one-way hash of each password, and the hash key, known as salt, differs for each user. Having a hashed password does not mean that the real password is revealed. Nevertheless, the company recommends that all users change their passwords “for maximum safety.”
So far, MyHeritage is optimistic that the breach’s damage was limited. The company said that it seems as though email addresses were the only data affected and no evidence suggests that the data was used for any nefarious purpose. It also noted that it doesn’t store credit card information, relying on third-party billing companies. And other sensitive information, such as DNA data and family trees, are stored separately from email addresses and have extra layers of security.
Ars reached out to MyHeritage to ask why it hadn’t detected the initial breach and how the breach could have happened. We also asked for more information on the unidentified security researcher and where the stolen data was found. Rafi Mendelsohn, MyHeritage’s director of PR and social media responded by email, saying only that: “We are investigating that right now and plan to have updates on the blog over the next few days.”
Discovery of the breach falls on the heels of news that law enforcement used a different genealogy site to track down a long-sought suspect in the Golden State Killer case. Though investigators used publicly-available genetic data in that case, it opened widespread security and privacy concerns surrounding such ancestry-tracking and DNA testing sites, which have exploded in popularity recently.
To quell fears among its users, MyHeritage says it has taken a number of steps. These include setting up an “Information Security Incident Response Team,” creating a 24/7 customer support line, and working on beefing up security, including fast-tracking a two-factor authentication feature.