Security breach at MyHeritage website leaks details of over 92 million users

Adjust Comment Print

Israel-headquartered MyHeritage enables users to create family trees by searching through historical documents such as census, immigration, marriage and burial records in 42 languages. After investigators tracked down a suspect in the Golden State Killer case using a genealogy website that, like MyHeritage, allows users to upload raw genetic information, privacy concerns about shared DNA data have also surged.

"There has been no evidence that the data in the file was ever used by the perpetrators", the company said.

Consumer genealogy website MyHeritage said that email addresses and password information linked to more than 92 million user accounts have been compromised in an apparent hacking incident.

"Today, June 4, 2018 at approximately 1 p.m. EST, MyHeritage's chief information security officer received a message from a security researcher that he had found a file named myheritage containing email addresses and hashed passwords, on a private server outside of MyHeritage", the statement reads.

The emails are not fundamentally revealing data; billions have been exposed over the years through the likes of the Equifax and Yahoo breaches.

As consumer DNA testing has grown into a $99 million industry, questions about the security of users' intimate data have increased as well. Furthermore, the company said it segregates its systems, meaning data such as family trees and DNA are stored separately from email addresses on systems with added security. That's why it's good to use a password manager and have unique passwords for every site.

Damage seems to be limited to customer email addresses.

"Any programs that process data can potentially be attacked", said Peter Ney, a doctoral student in UW's Paul G. Allen School of Computer Science & Engineering, told STAT at the time.

There is "no reason to believe" the systems with genetic data "have been compromised", Deutsch said. Deutsch said that the site learned of the breach only yesterday after an unnamed security researcher contacted the company.

"I would rather give someone my DNA than my social security number, my search history, or my credit card", she said. The company said it's also speeding up its work to roll out two-factor authentication for users.

MyHeritage said it was investigating the breach and taking steps to engage an independent cybersecurity company to review the incident.