MyHeritage, the genealogy website and DNA testing service, says the email addresses and hashed passwords of its customer database — some 92 million user accounts — were found on a private server.
The security breach, discovered by a researcher, includes all the email addresses of MyHeritage users who signed up through Oct. 26, 2017. MyHeritage’s security team is investigating the data breach to identify any potential exploitation of its system.
For the millions of people whose email addresses were stored on the private server, the impact should be minimal, MyHeritage said in a blog post reporting the incident. MyHeritage doesn’t store user passwords. Instead it uses a one-way hash of each password, in which the hash key differs for each customer.
A hacker who gains access to the hashed passwords doesn’t have the actual passwords, MyHeritage said.
The company said no other data related to MyHeritage was found on the private server, and there’s no evidence the information was ever used by the perpetrators. Other sensitive data, including family trees and DNA data, are stored on segregate systems that are separate from those that house email addresses. These systems have added security, MyHeritage said, adding that it has no reason to believe they were compromised.
“We believe the intrusion is limited to the user email addresses,” MyHeritage’s chief security officer Omer Deutsch wrote in the blog post. “We have no reason to believe that any other MyHeritage systems were compromised.”
Still, MyHeritage is taking steps to beef up security and suggests users change their passwords. MyHeritage, which launched its DNA testing service in 2016, says it’s speeding up efforts to roll out a two-factor authentication feature for users. Two-factor authentication is a security tool that prompts users to authenticate themselves using a mobile device in addition to a password.
MyHeritage has also hired an independent cybersecurity firm to conduct a forensic review of the breach.