Incident & Breach Response , Multi-factor & Risk-based Authentication , Next-Generation Technologies & Secure Development

Geneology Service MyHeritage Leaked 92 Million Credentials

Company Says No Indications Data Family Trees, DNA Results Affected
Geneology Service MyHeritage Leaked 92 Million Credentials

The geneology service MyHeritage says a security researcher found 92 million email addresses and hashed passwords for its users on a private external server.

See Also: Webinar | Key Trends in Payments Intelligence - Machine Learning for Fraud Prevention

The researcher, who was not named, found a file called "myheritage," writes Omer Deutsch, MyHeritage's CISO, in a blog post. The researcher passed it to the company's security team, which confirmed the data.

MyHeritage's website says it has 96 million users worldwide, meaning the breach affected almost its entire user base. Deutsch did not indicate what might have caused the breach.

Investigation Underway

Anyone who registered an account with the company through Oct. 26, 2017, when the breach occurred, is affected. MyHeritage has not detected abnormal activity associated with leaked accounts since that day, Deutsch writes.

"We believe the intrusion is limited to the user email addresses," Deutsch writes. "We have no reason to believe that any other MyHeritage systems were compromised."

The company doesn't store payment information because that function is outsourced to third-party billing providers, such as BlueSnap and PayPal. MyHeritage has set up an information security response team to handle the breach.

"We are also taking immediate steps to engage a leading, independent cybersecurity firm to conduct comprehensive forensic reviews to determine the scope of the intrusion; and to conduct an assessment and provide recommendations on steps that can be taken to help prevent such an incident from occurring in the future," Deutsch says.

The company also is taking steps to notify regulators in Europe in accordance with the General Data Protection Regulation. The regulation, for which enforcement began last month, requires entities that have experienced a breach of European residents' data to notify regulators and those affected within 72 hours (see Europe's Strong GDPR Privacy Rules Go Into Full Effect).

Sensitive Data Segregated

By their very nature, geneology services could potentially hold very sensitive information about their users. MyHeritage offers a DNA testing service, which includes an ethnicity analysis.

MyHeritage can also match DNA results with those of other similar people who have uploaded their profiles.

Deutsch writes that family tree and DNA data are stored on "on segregated systems, separate from those that store the email addresses, and they include added layers of security. We have no reason to believe those systems have been compromised."

No Two-Factor Authentication

MyHeritage doesn't offer two-factor authentication, but is planning to soon, Deutsch explains in his blog. "This will allow users interested in taking advantage of it to authenticate themselves using a mobile device in addition to a password, which will further harden their MyHeritage accounts against illegitimate access," he writes.

Two-factor authentication largely negates an immediate risk to account takeover, but it's still generally recommend that users change their passwords after a breach. MyHeritage is recommending that to users, but it wasn't clear if the service may eventually choose to force users to change their passwords.

MyHeritage says it stored password hashes, which is a better security practice than storing plain-text passwords. But the security of those password hashes also depends on what algorithm the company used to generate the hashes.

Some hashing algorithms are considered less secure than others due to advances in computing power. That power can be used to rapidly generate hashes from lists in an effort to find a matching one that reveals the plain-text password.

Efforts to reach MyHeritage officials weren't immediately successful.


About the Author

Jeremy Kirk

Jeremy Kirk

Managing Editor, Security and Technology, ISMG

Kirk is a veteran journalist who has reported from more than a dozen countries. Based in Sydney, he is Managing Editor for Security and Technology for Information Security Media Group. Prior to ISMG, he worked from London and Sydney covering computer security and privacy for International Data Group. Further back, he covered military affairs from Seoul, South Korea, and general assignment news for his hometown paper in Illinois.




Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing bankinfosecurity.co.uk, you agree to our use of cookies.