When you sign up to a website handling sensitive information, perhaps a medical service or social network, one of the basic things you’re probably hoping for is that the site can keep control of its users’ data. Unfortunately for customers of MyHeritage, a genealogy and DNA testing service, a researcher uncovered 92 million account details related to the company sitting on a server, according to an announcement from MyHeritage.
The data relates to users who signed up to MyHeritage up to and including October 26, 2017—the date of the breach—the announcement adds.
Users of the Israeli-based company can create family trees and search through historical records to try and uncover their ancestry. In January 2017, Israeli media reported the company has some 35 million family trees on its website.
In all, the breach impacted 92,283,889 users, according to MyHeritage’s disclosure.
On Monday, MyHeritage says the company’s chief information security officer “received a message from a security researcher that he had found a file named myheritage containing email addresses and hashed password, on a private server outside of MyHeritage,” the announcement reads. Password hashes are cryptographic representations of passwords, meaning companies don’t have to store the actual password itself, although, depending on the algorithm used, hackers may still be able to crack them.
Got a tip? You can contact this reporter securely on Signal on +44 20 8133 5190, OTR chat on firstname.lastname@example.org, or email email@example.com.
MyHeritage’s post notes that “the hash key differs for each customer,” suggesting the company is also using a so-called salt; an additional, typically unique value added to the password before hashing to make the hash itself more resilient to cracking.
On its website, MyHeritage says "your privacy and the security of your data is as important to us as it is to you. We have made significant investments to ensure that your account and personal details are secured and protected by multiple layers of encryption. All testing is done in our world-leading CLIA-certified, CAP-accredited laboratory in the United States."
MyHeritage says it has no reason to believe other user data was compromised. Customer credit card information is processed by third-parties such as PayPal, and users’ DNA data is stored on systems separate to those containing customer’s email addresses, the company claimed.
The lesson: Although it appears that hackers have not accessed MyHeritage accounts themselves, as the company notes, this is still a good opportunity to remember not to use the same password on multiple sites and services. MyHeritage also says in its announcement that it will be rolling out two factor authentication to all users; if you’re concerned about someone accessing your MyHeritage data in the future, it is certainly worth enabling that feature too.