Genealogy site MyHeritage hit by hackers

6 Jun 2018

Image: SpectrumVates/Shutterstock

MyHeritage discloses data breach with 92m users’ data stolen by hackers.

Hackers have accessed the details of some 92m users of Israeli DNA testing site MyHeritage, including email addresses and hashed passwords.

It is understood that a security researcher found the data relating to the genealogy and DNA testing service sitting on a server.

“Our information security team received the file from the security researcher, reviewed it, and confirmed that its contents originated from MyHeritage and included all the email addresses of users who signed up to MyHeritage up to October 26, 2017, and their hashed passwords,” the company said in a statement.

“Immediately upon receipt of the file, MyHeritage’s information security team analysed the file and began an investigation to determine how its contents were obtained and to identify any potential exploitation of the MyHeritage system.

“We determined that the file was legitimate and included the email addresses and hashed passwords of 92,283,889 users who had signed up to MyHeritage up to and including October 26, 2017 which is the date of the breach.”

Hashed passwords: are they secure?

The company said that it does not believe hackers were able to get their hands on genuine passwords.

“MyHeritage does not store user passwords, but rather a one-way hash of each password, in which the hash key differs for each customer. This means that anyone gaining access to the hashed passwords does not have the actual passwords.”

While hashing passwords is a one-way encryption process that is not easy for hackers to bypass, MyHeritage has advised all of its users to change their passwords just in case.

MyHeritage also said that financial information was not exposed.

“We believe the intrusion is limited to the user email addresses. We have no reason to believe that any other MyHeritage systems were compromised.

“As an example, credit card information is not stored on MyHeritage to begin with, but only on trusted third-party billing providers (BlueSnap, PayPal) utilised by MyHeritage.

“Other types of sensitive data such as family trees and DNA data are stored by MyHeritage on segregated systems, separate from those that store the email addresses, and they include added layers of security. We have no reason to believe those systems have been compromised,” the company said.

John Kennedy is a journalist who served as editor of Silicon Republic for 17 years