Email Addresses of 92 Million Users Spilled in MyHeritage Breach
The genealogy site MyHeritage said Monday that it suffered a breach last year that exposed 92 million of its users emails and hashed passwords.
MyHeritage, an online genealogy platform, confirmed Monday that a file a researcher spotted floating around the internet contained data on 92 million of its users.
The site, similar to Ancestry.com, allows users to trace their genealogical roots by accessing online family trees, census records, and by testing their DNA. Omer Deutsch, the company's Chief Information Security Officer, said Monday that he received a message from an unnamed security researcher around 1 p.m. EST claiming he came across a file named "myheritage" on a private server, outside of MyHeritage.
Upon investigating the file's contents, the service confirmed it contained legitimate email addresses of users dating back to October 27; the date the company was apparently breached. Specifically it contained the email addresses and hashed passwords of 92,283,889 users.
It's unclear at this point how the company was breached and why it was unaware until this week.
The service, which is headquartered in Israel, stressed Monday that the file only contained the email addresses of users and their hashed passwords. The company claims it stores one-way hashes of passwords. One-way hash functions are designed to make passwords harder to crack. Traditionally input messages of various lengths are put into output binary sequences of fixed length. While the technique should make it more tricky to decrypt the passwords, it's not a failsafe.
101 Data Protection Tips: How to Keep Your Passwords, Financial & Personal Information Online Safe
In wake of the breach the company claims its speeding up work around a two-factor authentication feature it was planning on pushing to users in the future. The company claims it started an internal Information Security Incident Response Team to look into the incident and has enlisted a cybersecurity firm to determine how exactly the company was breached, two steps commonly taken by companies following a breach.
Deutsch claims that information like credit card details, DNA data, and data on family histories, was not implicated in the breach as that data is kept on separate systems.
The company, which also has offices in Lehi, Utah, Kyiv, Ukraine, and Burbank, California, claims to store 2,841,639,424 genealogic records.
From the sounds of it almost every MyHeritage user had their email spilled. According to the MyHeritage's Twitter account summary, the service boasts 95 million users.
It should go without saying but the company is urging customers to change their passwords and avoid using the same password for other services they used for MyHeritage, likely in the event the cache of passwords is ever decrypted.
The company said Monday that it's also taking "steps to inform relevant authorities including as per GDPR," although at this point it's unclear what the immediate repercussion of the breach would be. According to the GDPR directive, the law applies to personal data, anything that can identify a ‘natural person,’ like a name, photo, or email address.
The breach is similar to an issue involving RootsWeb, a community-driven site run by Ancestry.com, that was found leaking user information last December. Troy Hunt, the creator of Have I Been Pwned?, discovered the issue after he stumbled upon data stored insecurely on one of its servers. 300,000 plain text passwords, email addresses, and usernames were exposed, apparently as far back as 2015. Many of those logins were used on both RootsWeb and Ancestry.com according to a blog by Tony Blackham, Ancestry's Chief Information Security Officer. The breach forced the company to take RootsWeb offline to ensure that data is protected. Ancestry.com is still in the process of bringing the site back to life; it brought back mailing lists in March and is in the process of resurrecting old archives.