June 8, 2018
MyHeritage, a provider of DNA checking facilities, has declared it has faced a data breach that has impacted over 92 million users. The breach affects all users of the DNA checking facility who signed up before October 26, 2017 – the date of the breach.
In all, 92,283,889 usernames and hashed passwords were disclosed, making this the biggest data breach informed in 2018, and the biggest security breach since the 143-million record-breach at Equifax that was declared in September 2017.
The breach was found by a safety researcher who discovered the hashed passwords and usernames on an insecure, private third-party server outside the jurisdiction of MyHeritage. The scientist copied the file and transmitted it to MyHeritage, which was capable to verify its genuineness.
MyHeritage has verified that the breach was restricted to usernames and hashed passwords. Confidential information like family trees and DNA data are saved on separate, isolated systems and are safeguarded by extra layers of safety. MyHeritage has probed the occurrence and verified that those systems were not undermined. The safety research who found the data has carried out a search of the third-party server and proved that no other MyHeritage client data had been uploaded.
All passwords in the folder were hashed, with each record having a different hash key. This method of safeguarding passwords makes it tough for the passwords to be decrypted. Although the data have been in the hands of the attackers for over 7 months, it doesn’t seem that the passwords have been decrypted and used.
The electronic mail addresses were not encrypted and might possibly have been used by the people accountable for the attack, even though MyHeritage has not found any proof to indicate that was the case.
A breach notification has been presented to the controlling authority within 72 hours of the finding of the breach, as is needed by the EU’s General Data Protection Regulation (GDPR).
MyHeritage was already working on applying a new 2-factor verification feature to provide greater safety for its users. That procedure has now been accelerated. A leading third-party computer forensics company has also been engaged to probe the breach and incursion and will be supplying information that will assist MyHeritage to take steps to avoid further occurrences of this type from happening in the time to come.