Israel-based DNA testing and genealogy firm MyHeritage has suffered a major data breach which has compromised the hashed passwords and email addresses of 92 million users.
In an announcement, MyHeritage Information Security Officer Omer Deutsch outlined that an anonymous security researcher came across a suspicious file dubbed “MyHeritage” on a distinct server just outside the company’s systems.
The unnamed researcher downloaded the said file and sent it to the firm for assessment, and it was only a matter of time before they identified that its origin was from their servers.
Writing in an official blog post, Deutsch explained that they determined the file to be legitimate and found that it contained the hashed passwords and email addresses of more than 92 million users who were members of MyHeritage up until the date of the breach on October 2017.
He further went on to explain that as opposed to storing user passwords, MyHeritage safeguards a one-way hash of every password, and each customer’s hash key is varied.
This is to say that having access to the hash passwords does not mean accessing the actual passwords.
And while he made no mention of the precise password, the fact that they made no efforts to force password resets on their users outlines that the firm seems relatively confident that the hacker cannot make use of the stolen data.
Deutsch was also quick to note that no other MyHeritage related data was collected from the private server.
According to him, there has been no activity since the data breach that seems to suggest a compromise in other sensitive materials from MyHeritage.
As such, they believe that no other systems have been compromised.
Credit card information is not stored by the company, and0 the sensitive data like DNA data and family trees is securely kept on segregated systems, which comprise additional security layers.
It remains unclear whether the hackers have been able to breach the firm’s defenses or whether they have exfiltrated the data.
An Investigation Is Being Launched
The firm has already engaged the services of an outside cybersecurity company to help investigate and establish the extent of the breach, as well as assist them to boost their security.
Also, the firm has contacted law enforcement agencies inclusive of European regulators. The European Union’s newly established General Data Protection Regulation (GDPR) rules mandate for firms to disclose security incidents which may involve EU citizens’ data within the initial three days after the discovery, or be liable to massive fines.
More Than One Reason to Be Concerned?
Although MyHeritage quickly went public about the breach, some of its statements have raised significant doubt on the firm’s security measures.
First, although the immediate response of the company after the violation was to form an incident response team to do a formal investigation, such a firm would have already established one such group in anticipation of such a breach.
Also, in their official statement, the company outlined that they are working on a two-factor authentication (2FA) feature which they are looking to avail to their users.
However, considering the amount and sensitivity of the information they have, the best practice for them would have been having the 2FA feature set up and working long before the breach.
What’s more, according to their official statement, MyHeritage outlines that the breach was spotted by a third-party. This, together with the seven-month delay, is a matter of great concern because it implies that the company has no adequate detection capacities.
And if they have failed to notice this, there are perhaps other incidents within the system which may have gone unnoticed.
What Now?
As the investigation continues, MyHeritage clients will have to wait and see if their personal information has indeed been compromised. Users are strictly advised to reset their passwords immediately.