Data From MyHeritage Shows Up On Third Party Server…. Millions Of Accounts Affected

MyHeritage, a genealogy and DNA testing service has announced that a researcher uncovered 92 million account details related to the company sitting on a server. In other words, there’s a data breach of epic proportions. Here’s the details via the announcement from MyHeritage:

Today, June 4, 2018 at approximately 1pm EST, MyHeritage’s Chief Information Security Officer received a message from a security researcher that he had found a file named myheritage containing email addresses and hashed passwords, on a private server outside of MyHeritage. Our Information Security Team received the file from the security researcher, reviewed it, and confirmed that its contents originated from MyHeritage and included all the email addresses of users who signed up to MyHeritage up to October 26, 2017, and their hashed passwords.

Immediately upon receipt of the file, MyHeritage’s Information Security Team analyzed the file and began an investigation to determine how its contents were obtained and to identify any potential exploitation of the MyHeritage system. We determined that the file was legitimate and included the email addresses and hashed passwords of 92,283,889 users who had signed up to MyHeritage up to and including Oct 26, 2017 which is the date of the breach. MyHeritage does not store user passwords, but rather a one-way hash of each password, in which the hash key differs for each customer. This means that anyone gaining access to the hashed passwords does not have the actual passwords.

The security researcher reported that no other data related to MyHeritage was found on the private server. There has been no evidence that the data in the file was ever used by the perpetrators. Since Oct 26, 2017 (the date of the breach) and the present we have not seen any activity indicating that any MyHeritage accounts had been compromised.

Well. That is not good to say the least. The usual advice in this sort of situation applies such as changing your password for this service. There doesn’t seem to be any indication of any payment info being swiped at this point. So I think you don’t have to worry about that at this point. I will also note that the company reported this according to GDPR regulations, so that’s positive. Hopefully MyHeritage explains what happened here and what they are going to do to stop it from happening again if they want to regain the trust of their users.

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

w

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.

%d bloggers like this: