Emails of Over 92 Million Users Stolen from Genealogy Company MyHeritage

On Monday, online genealogy company MyHeritage Ltd. released a statement revealing the emails of some 92 million of its users were stolen during a security breach dated October 26, 2017.

For daily updates, subscribe to our newsletter by clicking here.

Israel-headquartered MyHeritage enables users to create family trees by searching through historical documents such as census, immigration, marriage and burial records in 42 languages. In 2016, the company also launched a genetic testing service that provides both DNA matching and ancestry and ethnicity estimates. Its database currently has DNA samples from over 1.25 million people.

The security breach was discovered by the company on Monday after an independent security researcher contacted MyHeritage's chief information security officer and revealed he had found a file containing email addresses and hashed passwords on a private outside server. The company determined the file was legitimate and contained the information of 92,283,889 users who had created an account up to the breach date.

MyHeritage stated that it does not store user passwords but rather uses a one-way hash with an individual key for each customer. "This means that anyone gaining access to the hashed passwords does not have the actual passwords," the company wrote.

Hashing is a form of encryption that means a password is mathematically converted into a seemingly random series of characters. When users enter their password on a website, the website doesn't use a key to decrypt it but rather performs the same hashing process again, confirming the results against the original hash. There are varying hashing schemes in terms of strength, but they are not uncrackable. In 2012 and 2016 almost 200 million LinkedIn user passwords went on sale following a 2012 breach, despite the fact the service hashed its passwords.

MyHeritage has not seen any evidence that user accounts were compromised or that the data obtained was ever used by the perpetrators, the company stated. Furthermore, the company said it segregates its systems, meaning data such as family trees and DNA are stored separately from email addresses on systems with added security. The company does not store the credit card data of its users, instead using third-party vendors such as Paypal.

Aside from informing users, MyHeritage stated it is taking steps to notify relevant authorities, as per GDPR. It has set up an information security incident response team, and also contracted an independent cybersecurity team to determine the scope of the breach and provide a recommendation regarding further steps and security measures.

The company also stated it intends to roll out an optional two-factor authentication system, which will require users to use a separate device or service to authenticate identity.

The company recommended that all users change their passwords.