MyHeritage, the popular genealogy company, were victims of a cybersecurity breach where email address and hashed passwords of 92 million users were compromised. The company reported of this through a blog post on June 4, 2018, although the incident happened way back on October 26, 2017.
According to MyHeritage, they were oblivious to the data breach for over seven months until June 4. Apparently, the company’s chief of security received a message from an unidentified “security researcher.” This person stated finding a file on a private server which contains all the users’ data.
On their blog post, the company has admitted that the content of this file does contain email addresses of users who signed up for their service before October 26, 2017. “We determined that the file was legitimate and included the email addresses and hashed passwords of 92,283,889 users who had signed up to MyHeritage up to and including Oct 26, 2017, which is the date of the breach,” the blog post stated.
However, the company also went on to claim that they do not store user passwords. Credit card information is also not stored as they rely on third-party billing services. Furthermore, DNA data and family trees are stored separately and wouldn’t have been compromised by this hack.
This means that besides the actual email addresses the hackers got their hands on several hashed passwords. But according to the company, this shouldn’t be a cause for concern. “Anyone gaining access to the hashed passwords does not have the actual passwords.” Still, they are advising users to change their password for extra security.
Regardless, it still begs the question how it happened, and why were they not aware of it for several months? Ars Technica had contacted MyHeritage concerning this very question, to which they stated that the investigation process is still ongoing and they will update when they have new findings.
As far as security is concerned, the company has mentioned taking a number of steps. A two-factor authentication system will be included. On top of that, an “Information Security Incident Response Team” will also be set up along with a 24/7 customer support line.