DNA Site MyHeritage Spills Data on 92m Users


DNA testing and genealogy service MyHeritage has announced that it suffered a data breach in October 2017, with over 92 million account details found on a private server.

Based on the creation dates of some accounts, the breach appears to have taken place on October 26, 2017.

We also asked for more information on the unidentified security researcher and where the stolen data was found. Rafi Mendelsohn, MyHeritage's director of PR and social media responded by email, saying only that: "We are investigating that right now and plan to have updates on the blog over the next few days".

The incident was brought to the ancestry site's attention by a security researcher who came across the file named "myheritage" on a private server outside of MyHeritage.

"This breach of MyHeritage seems to be the rare instance in which a company in possession of sensitive data adhered to some of the best practices in password posture by not storing them in plain text but as one-way hashes", said Balbix CEO, Gaurav Banga.

"We believe the intrusion is limited to the user email addresses", MyHeritage added.

Israel-headquartered MyHeritage enables users to create family trees by searching through historical documents such as census, immigration, marriage and burial records in 42 languages. Family trees or genetic data, it said, are stored on different systems with "added layers of security". When users enter their password on a website, the website doesn't use a key to decrypt it but rather performs the same hashing process again, confirming the results against the original hash.

No other information, except for the email addresses and hashed passwords, was exposed, MyHeritage said. There has been no evidence that the data in the file was ever used by the perpetrators.

Mr Deutsch said the company had launched an investigation to identity how the breach had occurred, as well as contacting an independent cybersecurity firm to undertake "comprehensive forensic reviews" to determine its scope.

MyHeritage has also taken steps to inform relevant authorities, as per new GDPR rules.

"If you do choose to provide genetic data to an organisation, it's vital to enable the maximum security settings, turning on features such as two factor authentication once available, and check what you are "agreeing" to when sharing it, as you may be unwittingly giving access - or even consent - to share this data more widely than is needed, even to other third party organisations".