MyHeritage breach leaks 92 million emails, hashed passwords

DNA testing application MyHeritage announced that it has fallen victim to a cyberattack. It appears a security researcher allegedly found online, on a private server, a database containing over 92 million user emails and hashed passwords stolen by a mysterious hacker.

Cybersecurity Live - Boston

Once MyHeritage received news of the breach, the company immediately assembled an Information Security Incident Response Team to investigate, and confirmed that the discovery was genuine. The security researcher did not say how he got hold of the information, so MyHeritage is now investigating further to see how the breach actually occurred.

The internal investigation also revealed that only accounts from up to October 26, 2017 were affected, and hackers haven’t used the stolen information to attack the accounts so far. MyHeritage stored a one-way hash of each password, so hackers wouldn’t be able to do much with the data because they didn’t really steal actual passwords. However, the company has started a reset for all accounts.

“Although no passwords leaked but only hashed versions of the passwords, we encouraged our users to change their password, and many already did so,” MyHeritage said. “However, to maximize the security of our users, we have started the process of expiring ALL user passwords on MyHeritage. This process will take place over the next few days.”

MyHeritage systems doesn’t store credit card information either because it uses third-party providers.  Family trees and DNA data have not been affected as they are kept on segregated systems.

“We believe the intrusion is limited to the user email addresses,” reads the company blog. “Other types of sensitive data such as family trees and DNA data are stored by MyHeritage on segregated systems, separate from those that store the email addresses, and they include added layers of security.”

MyHeritage announced the immediate addition of two-factor authentication for extra account safety. Authorities will also be informed, so as to comply with GDPR, and users are advised to check their accounts.

*** This is a Security Bloggers Network syndicated blog from HOTforSecurity authored by Luana Pascu. Read the original post at: