92 Million Users of MyHeritage DNA Testing Facility Affected by Data Breach

Jun 8, 2018


MyHeritage, a supplier of DNA testing facilities, has declared it has experienced a data breach that has affected over 92 million users. The breach affected all users of the DNA testing facility who signed up before October 26, 2017 – the date of the breach.

Altogether, 92,283,889 usernames and hashed passwords were disclosed, making this the biggest data breach informed in 2018, and the biggest safety breach since the 143-million record-breach at Equifax that was declared in September 2017.

The breach was noticed by a safety scientist who found the usernames and hashed passwords on an undefended, private third-party server outside the control of MyHeritage. The scientist downloaded the file and transmitted it to MyHeritage, which was able to verify its genuineness.

MyHeritage has verified that the breach was restricted to usernames and hashed passwords. Confidential information like family trees and DNA data are stored on separate, segregated systems and are safeguarded by extra layers of safety. MyHeritage has probed the occurrence and verified that those systems were not undermined. The security researcher who found the data has carried out a search of the third-party server and verified that no other MyHeritage customer data had been uploaded.

All keywords in the file were hashed, with each record having a different hash key. This method of safeguarding passwords makes it tough for the passwords to be deciphered. Although the data have been in the hands of the attackers for over 7 months, it doesn’t seem that the passwords have been deciphered and used.

The email addresses were not encrypted and could potentially have been used by the individuals responsible for the attack, although MyHeritage has not uncovered any evidence to suggest that was the case.

A breach notice has been submitted to the supervisory authority within 72 hours of discovery of the breach, as is required by the EU’s General Data Protection Regulation (GDPR).

MyHeritage was already working on implementing a new 2-factor authentication feature to provide greater protection for its users. That process has now been expedited. A leading third-party computer forensics firm has also been hired to investigate the breach and intrusion and will be providing information that will help MyHeritage to take steps to prevent further incidents of this nature from occurring in the future.