[BreachExchange] Genealogy site MyHeritage discovered passwords of 92 million accounts on a private server, but says the data was encrypted

Audrey McNeil audrey at riskbasedsecurity.com
Tue Jun 5 19:11:38 EDT 2018


http://www.businessinsider.com/myheritage-data-breach-
exposes-92-million-accounts-2018-6

A data breach has exposed 92 million accounts on DNA testing and genealogy
website MyHeritage, the company said on Tuesday.

The breach was discovered by a security researcher who notified MyHeritage
on Tuesday that a trove of email addresses and hashed passwords were
sitting on a private server somewhere outside of the company. Because the
passwords were hashed, the actual passwords weren't exposed — hackers only
got access to a scrambled string of text compiled by crytogaphic algorithms.

MyHeritage said that the hashing is "one-way," meaning that it is almost
impossible to turn the hashed password back into the original. And each
hash key, which could be used to revert the hashed passwords back, differs
for each user.

The Israeli-based MyHeritage lets people send in swabs of DNA to uncover
their ethnic origins and family history.

The 92,283,889 million accounts present on the server included users who
signed up for the service up until Oct. 26, 2017, the date MyHeritage
believes the breach occurred. The company said it does not have evidence
that any information was actually used by those responsible for the breach.

"There has been no evidence that the data in the file was ever used by the
perpetrators," the company said. "Since Oct. 26, 2017 (the date of the
breach) and the present we have not seen any activity indicating that any
MyHeritage accounts had been compromised."

More sensitive information, such as credit card information, family trees,
and DNA data, are stored in a different place than email addresses and
passwords, and MyHeritage believes that information was never compromised.

In response the the incident, MyHeritage is rolling out two-factor
authentication, which lets users login using a code sent to a mobile device
in addition to a password.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20180605/7bb13c28/attachment.html>


More information about the BreachExchange mailing list