MyHeritage breach exposes 92M emails and hashed passwords

Today, June 4, 2018 at approximately 1pm EST, MyHeritage's Chief Information Security Officer received a message from a security researcher that he had found a file named myheritage containing email addresses and hashed passwords, on a private server outside of MyHeritage. The website now has 96 million users; 1.4 million users have taken the DNA test. The company determined the file was legitimate and contained the information of 92,283,889 users who had created an account up to the breach date. "This means that anyone gaining access to the hashed passwords does not have the actual passwords", the company wrote. When users enter their password on a website, the website doesn't use a key to decrypt it but rather performs the same hashing process again, confirming the results against the original hash.

MyHeritage said that the hashing is "one-way", meaning that it is nearly impossible to turn the hashed password back into the original.

No other information, except for the email addresses and hashed passwords, was exposed, MyHeritage said.

Mr Deutsche added that no other data related to MyHeritage had been found on the server, and that there was no evidence that the data had ever been used by the perpetrators. In 2012 and 2016 nearly 200 million LinkedIn user passwords went on sale following a 2012 breach, despite the fact the service hashed its passwords.

"Here's what many consumers don't realize, that their sensitive information can end up in the hands of unknown third-party companies", Schumer said last November. "Since Oct 26, 2017 (the date of the breach) and the present we have not seen any activity indicating that any MyHeritage accounts had been compromised".

There's an investigation into how the hack happened and MyHeritage is taking measures to avoid a repeat incident.

In its statement, the company emphasized that DNA data is stored "on segregated systems and are separate from those that store the email addresses, and they include added layers of security".

MyHeritage recommends users change their passwords and said they should take advantage of a two-factor authentication feature the company plans to release soon.

The company has set up what it refers to as an "Information Security Incident Response Team" in order to investigate the incident, and says that it is trying to determine the scope of the incident and find out how to prevent it happening again.