- A security researcher informed DNA testing and genealogy website MyHeritage that a file with 92 million user email addresses and scrambled passwords were found on a server outside of the company.
- MyHeritage does not believe the information was actually used by the perpetrators.
- Credit card information, family trees, and DNA data were not part of the breach, the company says.
A data breach has exposed 92 million accounts on DNA testing and genealogy website MyHeritage, the company said on Tuesday.
The breach was discovered by a security researcher who notified MyHeritage on Tuesday that a trove of email addresses and hashed passwords were sitting on a private server somewhere outside of the company. Because the passwords were hashed, the actual passwords weren’t exposed – hackers only got access to a scrambled string of text compiled by crytogaphic algorithms.
MyHeritage said that the hashing is “one-way,” meaning that it is almost impossible to turn the hashed password back into the original. And each hash key, which could be used to revert the hashed passwords back, differs for each user.
The Israeli-based MyHeritage lets people send in swabs of DNA to uncover their ethnic origins and family history.
The 92,283,889 million accounts present on the server included users who signed up for the service up until Oct. 26, 2017, the date MyHeritage believes the breach occurred. The company said it does not have evidence that any information was actually used by those responsible for the breach.
“There has been no evidence that the data in the file was ever used by the perpetrators,” the company said. “Since Oct. 26, 2017 (the date of the breach) and the present we have not seen any activity indicating that any MyHeritage accounts had been compromised.”
More sensitive information, such as credit card information, family trees, and DNA data, are stored in a different place than email addresses and passwords, and MyHeritage believes that information was never compromised.
In response the the incident, MyHeritage is rolling out two-factor authentication, which lets users login using a code sent to a mobile device in addition to a password.