MyHeritage suffers massive data leak affecting 92m users

No signs hackers have got hold of user data, says DNA testing firm

The email addresses of more than 92 million MyHeritage users were recently exposed via a private server outside of the company's control, it revealed yesterday, as it launches an investigation into the breach.

The US-based geneology platform admitted the breach eight hours after an anonymous security researcher sent it a file containing the email addresses of 92,283,889 users who'd signed up to the service by 26 October 2017, representing 96% of its userbase, along with their hashed passwords.

MyHeritage believes the leak was limited to email addresses, as it doesn't store passwords; rather it stores a one-way hash of each password, in which the hash key differs for each customer. Its information security incident response team is still investigating the breach, but does not have an update regarding the source of the leak.

While it hasn't revealed where the private server in question was, it said there is no evidence that any hackers ever accessed the data stored on it.

The company said it had no reason to believe any other systems were compromised, and had not seen any activity indicating accounts were compromised as a result of the leak. Sensitive information, such as family tree or DNA data, are stored on segregated systems separate from the servers that store email addresses, and are fitted with additional layers of security.

"Immediately upon learning about the incident, we set up an Information Security Incident Response Team to investigate the incident," wrote chief information security officer Omer Deutsch on a post on the company's website.

"We are also taking immediate steps to engage a leading, independent cybersecurity firm to conduct comprehensive forensic reviews to determine the scope of the intrusion, and to conduct an assessment and provide recommendations on steps that can be taken to help prevent such an incident from occurring in the future."

Deutsch added in a follow-up post published today that "from the moment this became known to us we have been working literally around the clock, taking additional steps to help protect our users". 

He also outlined how the company intends to bolster its security measures in future, including rolling out two-factor authentication to its users, as well as setting up a 24/7 security customer support team to assist users with concerns about the incident.

Meanwhile, MyHeritage said it has reported the leak to the relevant authorities in light of the EU's General Data Protection Regulation (GDPR), and has begun the process of force-expiring all user passwords, with more than half of user accounts now expired. Furthermore, the company is preparing to contact affected users individually via email.

The scale of the breach is comparable to a similar breach affecting 150 million MyFitnessPal users earlier this year - considered one of the largest in history - in which attackers stole usernames, email addresses, and hashed passwords.

Although data breaches have been on the rise globally, findings published in April suggest that leaks originating from UK organisations have declined, with 40% fewer data records stolen or compromised in 2017 against the previous year.

Picture: Bigstock

Featured Resources

Unleashing the power of AI initiatives with the right infrastructure

What key infrastructure requirements are needed to implement AI effectively?

Download now

Achieve today. Plan tomorrow. Making the hybrid multi-cloud journey

A Veritas webinar on implementing a hybrid multi-cloud strategy

Download now

A buyer’s guide for cloud-based phone solutions

Finding the right phone system for your modern business

Download now

The workers' experience report

How technology can spark motivation, enhance productivity and strengthen security

Download now

Recommended

SonicWall hacked via zero-day flaw in remote access tools
Security

SonicWall hacked via zero-day flaw in remote access tools

25 Jan 2021
Best ransomware removal tools
ransomware

Best ransomware removal tools

22 Jan 2021
Hackers publish over 4,000 files stolen from SEPA in ransomware attack
Security

Hackers publish over 4,000 files stolen from SEPA in ransomware attack

22 Jan 2021
Weekly threat roundup: SAP, Windows 10, Chrome
vulnerability

Weekly threat roundup: SAP, Windows 10, Chrome

21 Jan 2021

Most Popular

How to move Windows 10 from your old hard drive to SSD
operating systems

How to move Windows 10 from your old hard drive to SSD

21 Jan 2021
WhatsApp could face €50 million GDPR fine
General Data Protection Regulation (GDPR)

WhatsApp could face €50 million GDPR fine

25 Jan 2021
How to recover deleted emails in Gmail
email delivery

How to recover deleted emails in Gmail

6 Jan 2021