92 million accounts may have been exposed in a recent cybersecurity incident. Actually, 92,283,889, to be exact.
Last night, Israel-based genealogical ancestry company MyHeritage announced a cybersecurity incident that may have exposed the email addresses and passwords of exactly 92,283,889 customers. The astronomical number may knock some out of their seats, but there’s a lot of nuance to this story. Here’s the 4 most important things to know about the situation as it continues to unfold.
>>>READ: Forensic Genealogy Is Neat. Is It Ethical, Though?
The breach occurred in October, and MyHeritage had help in finding it.
The issue first came to the company’s attention when an unknown security researcher emailed the company’s Chief Information Security Officer that he had stumbled onto a file labelled “MyHeritage” residing in a private server. Sure enough, it fit the description, and the company was able to verify its accuracy once alerted. The breach was determined to have occurred on October 26, 2017, and includes the email addresses and hashed passwords (more on that below) of all users who signed up prior to that date. It’s still unclear how the information made it to the private server, though.
Hashed passwords are difficult (but not impossible) to crack.
Hashing is a form of 1-way encryption that is very difficult for an outside actor to reverse engineer. As TechCrunch notes, it would take “immense amounts of computing power and quite a bit of luck” to do so. Accounts could, however, still be compromised if the leaked email addresses popped up with their passwords in another breach—but that would also require some luck. MyHeritage is still urging users to change their passwords just in case.
Only email addresses and passwords were contained.
The company said in its statement that, to its knowledge, the data only consisted of account logins. Payment is handled by third-party vendors, so it does not have access to consumer financials, and DNA and family tree information are stored on separate, segregated systems with additional security layers. “We have no reason to believe those systems have been compromised,” the company wrote. So, someone isn’t out there walking around with 92,283,889 peoples’ DNA, as far as we know…and even if they were, there’s some confusion over what they’d even be able to do with it.
MyHeritage says the event will “expedite” implementation of better security measures.
The company said that it had notified proper authorities under the European Union’s sweeping new General Data Protection Regulation (GDPR) rules—implemented just last week—and that it was setting up an internal team to investigate the incident. It will also be hiring an outside firm to survey its cybersecurity protocols. It added that it had already been working to implement 2-factor authentication for those users who prefer the added security layer, and it was now working more quickly to roll out the option.
Related Coverage:
Hacker Accuses Michigan Ophthalmologists of Hiding His Attack for 2 Years
May: Another Banner Month for OCR-Reported Data Breaches (In a Bad Way)
Cybersecurity panel: Hospitals threatened by attacks aimed at vendors
November 4th 2024Chief Healthcare Executive presents another installment from our conversation on cybersecurity, with experts from the American Hospital Association, HIMSS and Providence. They talk about breaches tied to business partners.
Cybersecurity panel: The scope of recent ransomware attacks in healthcare
October 28th 2024Chief Healthcare Executive hosted a discussion on cybersecurity with leading experts from the American Hospital Association, HIMSS and the Providence health system. They talked about the growing problem of cyberattacks.