The family tree and genetic analysis website MyHeritage was breached in 2017 by unknown hackers, who succeeded in stealing emails and hashed passwords for all of the more than 92 million registered users on the site.
Neither payment card information nor genetic data appears to have been taken. The breach was announced by MyHeritage on its own blog. The company explained that they had been contacted by a security researcher, who was unnamed; to warm the company of a file he encountered titled myhertiage on a private server. Inside the file were the emails and the hashed passwords.
The hashing of passwords is an encryption process described as being one-way, which allows sensitive data to be easily stored, and although theoretically there are ways of reversing the hashing, computing power of an immense amount is needed along with a large amount of luck.
Because of that, the passwords are likely safe, but MyHeritage has advised its complete user list to change their passwords nonetheless.
Emails do not usually reveal data as billions have been over time exposed through for example the Yahoo and the recent Equifax breaches. They usually are damaging when combined with other data.
For instance, if hackers can cross-reference the list of more than 92 million emails with another email list that has corresponding passwords from a separate breach, they could possibly find a password that fits for the email.
MyHeritage does not store payment card information on its systems but uses a third-party provider. Other types of data considered sensitive such as DNA and family trees, are stored by MyHeritage on separate segregated systems that do not include the emails, and has various different layers of security.
Of course, up until just recently the company did not have any reason to think that its other system may have been compromised. That is the tricky thing about today’s world of cybersecurity.
The company was already developing two-factor authentication, but will now expedite its rollout. Users will be able to set that up quite soon.
An external security company is likely to be hired by the company in order to give it a full report. At the same time, MyHeritage has notified law enforcement in both the U.S. and Europe, amongst others.