MyHeritage, a provider of DNA testing services, has announced it has experienced a data breach that has impacted more than 92 million users. The breach affects all users of the DNA testing service who signed up prior to October 26, 2017 – the date of the breach.
In total, 92,283,889 usernames and hashed passwords were exposed, making this the largest data breach reported in 2018, and the largest security breach since the 143-million record-breach at Equifax that was announced in September 2017.
The breach was detected by a security researcher who found the usernames and hashed passwords on an unprotected, private third-party server outside the control of MyHeritage. The researcher downloaded the file and sent it to MyHertiage, which was able to confirm its authenticity.
MyHeritage has confirmed that the breach was limited to usernames and hashed passwords. Sensitive information such as family trees and DNA data are stored on separate, segregated systems and are protected by additional layers of security. MyHeritage has investigated the incident and confirmed that those systems were not compromised. The security research who discovered the data has conducted a search of the third-party server and confirmed that no other MyHeritage customer data had been uploaded.
All passwords in the file were hashed, with each record having a different hash key. This mechanism of securing passwords makes it difficult for the passwords to be decoded. While the data have been in the hands of the attackers for more than 7 months, it does not appear that the passwords have been decoded and used.
The email addresses were not encrypted and could potentially have been used by the individuals responsible for the attack, although MyHeritage has not uncovered any evidence to suggest that was the case.
A breach notice has been submitted to the supervisory authority within 72 hours of discovery of the breach, as is required by the EU’s General Data Protection Regulation (GDPR).
MyHeritage was already working on implementing a new 2-factor authentication feature to provide greater protection for its users. That process has now been expedited. A leading third-party computer forensics firm has also been hired to investigate the breach and intrusion and will be providing information that will help MyHeritage to take steps to prevent further incidents of this nature from occurring in the future.