MyHeritage Data Breach: 4 Fast Facts

Last night, Israel-based genealogical ancestry company MyHeritage announced a cybersecurity incident that may have exposed the email addresses and passwords of exactly 92,283,889 customers. The astronomical number may knock some out of their seats, but there’s a lot of nuance to this story. Here’s the 4 most important things to know about the situation as it continues to unfold.

>>>READ: Forensic Genealogy Is Neat. Is It Ethical, Though?

The breach occurred in October, and MyHeritage had help in finding it.

The issue first came to the company’s attention when an unknown security researcher emailed the company’s Chief Information Security Officer that he had stumbled onto a file labelled “MyHeritage” residing in a private server. Sure enough, it fit the description, and the company was able to verify its accuracy once alerted. The breach was determined to have occurred on October 26, 2017, and includes the email addresses and hashed passwords (more on that below) of all users who signed up prior to that date. It’s still unclear how the information made it to the private server, though.

Hashed passwords are difficult (but not impossible) to crack.

Hashing is a form of 1-way encryption that is very difficult for an outside actor to reverse engineer. As TechCrunch notes, it would take “immense amounts of computing power and quite a bit of luck” to do so. Accounts could, however, still be compromised if the leaked email addresses popped up with their passwords in another breach—but that would also require some luck. MyHeritage is still urging users to change their passwords just in case.

Only email addresses and passwords were contained.

The company said in its statement that, to its knowledge, the data only consisted of account logins. Payment is handled by third-party vendors, so it does not have access to consumer financials, and DNA and family tree information are stored on separate, segregated systems with additional security layers. “We have no reason to believe those systems have been compromised,” the company wrote. So, someone isn’t out there walking around with 92,283,889 peoples’ DNA, as far as we know…and even if they were, there’s some confusion over what they’d even be able to do with it.

MyHeritage says the event will “expedite” implementation of better security measures.

The company said that it had notified proper authorities under the European Union’s sweeping new General Data Protection Regulation (GDPR) rules—implemented just last week—and that it was setting up an internal team to investigate the incident. It will also be hiring an outside firm to survey its cybersecurity protocols. It added that it had already been working to implement 2-factor authentication for those users who prefer the added security layer, and it was now working more quickly to roll out the option.

Related Coverage:

Hacker Accuses Michigan Ophthalmologists of Hiding His Attack for 2 Years

May: Another Banner Month for OCR-Reported Data Breaches (In a Bad Way)

How Did 23andMe Stumble in Its Early Days?