DNA testing service MyHeritage said that a third-party security researcher discovered a file on a private server outside MyHeritage’s network that contained email addresses and hashed passwords of everyone who signed up for the service before and on the day of the breach: October 26, 2017. After receiving said file, the company’s Information Security Team verified the content and began an investigation into how someone obtained the information of more than 92 million individuals.
“MyHeritage does not store user passwords, but rather a one-way hash of each password, in which the hash key differs for each customer,” the company says. “This means that anyone gaining access to the hashed passwords does not have the actual passwords.”
That could be why MyHeritage didn’t find any unusual activity associated with the compromised accounts after the October 2017 breach. The file containing the data simply sat on the external web server untouched by whoever retrieved the data from MyHeritage’s database. With only the email addresses on hand, the perpetrator(s) likely couldn’t break into any accounts.
According to MyHeritage, no other information could be obtained by the individual or party responsible for the breach. All payment information resides on third-party services such as PayPal and BlueSnap while family trees and DNA data are stored on a completely separate network and database. So far, there is no evidence that the hacker(s) infiltrated those systems too.
In addition to forming an internal Information Security Incident Response Team to investigate the breach, MyHeritage also turned to an independent cybersecurity firm for help in determining the extent of the breach, and how to better increase network security to prevent a similar incident in the future.
Meanwhile, the company plans to expedite development of its upcoming two-factor authentication service. That is an additional security component requiring a second form of identity verification outside the username and password, such as a smartphone for codes sent via SMS messages, fingerprint scanners, facial recognition, or specific apps. The company didn’t say when its two-factor authentication service will go live.
Despite the hashed passwords found in the leaked data, registered MyHeritage customers are urged to change their passwords as explained here. No other actions are required outside taking advantage of the two-factor service when it eventually goes live.
“As always, your privacy and the security of your data are our highest priority,” the company says. “We continually assess our procedures and policies and seek new ways to improve our approach to security. We understand the importance of our role as custodians of your information and work every day to earn your trust.”
The breach went unnoticed until 1 p.m. EST on June 4, 2018 when the security researcher contacted MyHeritage. That means the data sat unused on the external web server for around seven months, giving the hacker(s) plenty of time to infiltrate accounts and gather additional data. But all that effort to infiltrate MyHeritage produced a long list of over 92 million email addresses.
“We are taking steps to inform relevant authorities as per the General Data Protection Regulation,” the Israel-based company states.