Genealogy site MyHeritage says 92 million user accounts compromised in major breach

MyHeritage, a site that offers DNA testing and genealogy services, has suffered a data breach compromising the personal data, email addresses and hashed passwords of over 92 million users. The company said it was notified about the incident by a security researcher who said he found a file named “myheritage” that contained email addresses and hashed passwords on a private server outside of MyHeritage.

The company investigated the report and confirmed the file contained data on 92,283,889 users who signed up for the genealogy service before October 26, 2017 - the date the company says the breach occured.It has also launched an investigation into how the breach occurred and its systems exploited.

The company has not not disclosed the identity of the researcher.

The Israel-based company noted it “does not store user passwords, but rather a one-way hash of each password, in which the hash key differs for each customer.”

"There has been no evidence that the data in the file was ever used by the perpetrators," Omer Deutsch, the company's chief information security officer, said in a blog post. “Since Oct 26, 2017 (the date of the breach) and the present we have not seen any activity indicating that any MyHeritage accounts had been compromised.

MyHeritage said it believes the intrusion was limited to user email addresses and does not believe any other MyHeritage systems were compromised.

The service itself allows users to search a host of genealogy records to build family trees and discover their ancestral history. However, it noted that this information regarding family trees and DNA data are stored on separate systems and were not impacted in the breach.

“Credit card information is not stored on MyHeritage to begin with, but only on trusted third-party billing providers (e.g. BlueSnap, PayPal) utilized by MyHeritage,” Deutsch said. “Other types of sensitive data such as family trees and DNA data are stored by MyHeritage on segregated systems, separate from those that store the email addresses, and they include added layers of security. We have no reason to believe those systems have been compromised.”

Meanwhile, all MyHeritage customers have been asked to change their account passwords. The company will soon be rolling out two-factor authentication to ensure maximum security.

“We are also taking immediate steps to engage a leading, independent cybersecurity firm to conduct comprehensive forensic reviews to determine the scope of the intrusion; and to conduct an assessment and provide recommendations on steps that can be taken to help prevent such an incident from occurring in the future,” the company said.

In compliance with the EU’s new privacy law, GDPR, MyHeritage is taking steps to inform authorities.