MyHeritage, a global company offering ancestry and DNA testing services to 95 million users across 196 countries has confirmed the breach of its MyHeritage site.
After learning of the breach on the 4th of June, the company issued a statement on their website blog informing registered users that their website had been breached last year and that user email addresses and hashed passwords have been stolen.
The breach was uncovered by a security researcher who found a database file named “MyHeritage” on a private server outside of the company. After investigating and determining that the file was legitimate, MyHeritage has confirmed that the database compromised included the email addresses and hashed passwords of nearly 92.3 million customers who had registered with MyHeritage before the 27th of October 2017 (the date of the breach).
MyHeritage explained that it does not store user passwords, but instead a one-way hash of each password which means that anyone gaining access to the exposed hashed passwords does not have the actual passwords.
Investigations are still underway to identify any potential exploitation. However, currently, there is no indication that any MyHeritage accounts have been compromised. Moreover, MyHeritage has confirmed that no other data or sensitive data were breached as all other data including payment card details, family tree data and genetic data are stored on separate systems and include further layers of security.
MyHeritage acted swiftly, notifying users within hours of discovering the breach.
MyHeritage is taking steps to identify the cause of the breach to help prevent a recurrence of such an incident. It has also informed the relevant authorities.
Going forward MyHeritage will offer 2FA to users to further secure their accounts.
Although the passwords were not in plain text, MyHeritage has recommended that all registered users change their passwords on MyHeritage and to take advantage of 2FA as soon as the feature is released.
Additionally, MyHeritage has decided to expire all user passwords on MyHeritage over the next few days and users will be required to set new passwords to continue to access their accounts and data.