INSUBCONTINENT EXCLUSIVE:
The genetic analysis and family tree website MyHeritage was breached last year by unknown actors, who exfiltrated the emails and hashed
passwords of all 92 million registered users of the site
No credit card info, nor (what would be more disturbing) genetic data appears to have been collected.
The company announced the breach on
its blog, explaining that an unnamed security researcher contacted them to warn them of a file he had encountered &on a private server,&
tellingly entitled &myheritage.& Inside it were the millions of emails and hashed passwords.
Hashing passwords is a one-way encryption
process allowing sensitive data to be stored easily, and although there are theoretically ways to reverse hashing, they involve immense
amounts of computing power and quite a bit of luck
So the passwords are probably safe, but MyHeritage has advised all its users to change theirs regardless, and they should.
The emails are
not fundamentally revealing data; billions have been exposed over the years through the likes of the Equifax and Yahoo breaches
They&re mainly damaging in connection with other data
For instance, the hackers could put 2 and 2 together by cross-referencing this list of 92 million with a list of emails whose corresponding
passwords were known via some other breach
That why it good to use a password manager and have unique passwords for every site.
MyHeritage confidence that other data was not accessed
appears to be for a good reason:
Credit card information is not stored on MyHeritage to begin with, but only on trusted third-party billing
BlueSnap, PayPal) utilized by MyHeritage
Other types of sensitive data such as family trees and DNA data are stored by MyHeritage on segregated systems, separate from those that
store the email addresses, and they include added layers of security
We have no reason to believe those systems have been compromised.
Of course, until recently the company had no reason to believe the other
system had been compromised, either
That one of those tricky things about cybersecurity
But we can do the company the credit of understanding from this statement that it has looked closely at its more sensitive servers and
systems since the breach and found nothing.
Two-factor authentication was already in development, but the team is &expediting& its rollout,
so if you&re a user, be sure to set that up as soon as it available.
A full report will likely take a while; the company is planning to hire
an external security firm to look into the breach, and is working on notifying relevant authorities under U.S
laws and GDPR, among others.
I&ve asked MyHeritage for further comment and clarification on a few things and will update this post if I hear
