DNA testing company MyHeritage exposes data of 92 million users

MyHeritage is informed about the cybersecurity incident which occurred back in October 2017

MyHeritage, the company focusing on DNA testing and family ancestry, has recently announced about a serious leakage involving 92.3 million of its users. The company became aware about the security breach on 4th of June, aAfter being informed by an anonymous security researcher about an unprotected file called myheritage on a private server.

According to MyHeritage blog post,^[1] the leak affects users who registered for their service prior to October 26, 2017, which is the date of the data breach. As soon as the security researcher contacted the company, they began the investigation which confirmed that as many as 92,283,889 e-mail addresses and hashed passwords were harvested from a legitimate database.

The company is confident that the data breach only affected users' emails

As the researcher pointed out, no other databases were found on a private server and the data file discovered there has never been used for any purpose by hackers. Fortunately, MyHeritage does not collect clients' passwords. Instead, they store one-way hash which differs for each user. Thus, the company is confident that users' passwords are safe, and only e-mail addresses were leaked.

Omer Deutsch, Chief Information Security Officer of MyHeritage, also added that the company cannot see any signs of more accounts being jeopardized after October 2017:

Since Oct 26, 2017 (the date of the breach) and the present we have not seen any activity indicating that any MyHeritage accounts had been compromised.

Fortunately, the account information of visitors is not stored by the company. MyHeritage relies on trusted billing providers, including PayPal and BlueSnap. Additionally, all the other sensitive information stored by the firm (such as DNA data or family tree history) is stored in a separate database which has an extra layer of protection against hacks.

The extra precaution steps taken by MyHeritage

According to Deutsch, once they were informed about the leak, an immediate investigation was launched by Information Security Incident Response Team. The company hired a professional cybersecurity company to take on investigation to acquire more details about the incident and take extra precaution measures in order to protect personal user data in the future.

In addition, MyHeritage promised to launch two-factor authentication^[2] service that could help users protect their accounts even further. Additionally, Deutsch urged all customers to change passwords for maximum safety. He added:

For now, there are no other actions that MyHeritage users need to take as a result of this incident. However, we always recommend that you take the time to evaluate your security practices. Please, avoid using the same password for multiple services or websites. It’s good practice to use stronger passwords and to change them often.

Data breach is still believed to be a serious concern

Many security experts are concerned^[3] about the information technology security practices undertaken by various companies and organizations. Employees and employers should be more aware of security risks, and proper training in cybersecurity should be one of the top priorities in the current time.

While Equifax data leak^[4] exposed private information of 147.9 million users (which is considered the largest leak to date), there were several other incidents^[5] in the past few years. Even though MyHeritage data breach, most likely, consisted of only users' emails, it is still private information which should be kept away from crooks hands.