MyHeritage, the online genealogy and DNA testing site, has announced that it has recently become aware of a breach on its site. More than 92 million user accounts were affected, but relatively few personal details appear to have been leaked from those accounts.
According to MyHeritage’s statement, the site became aware of the breach on Monday after a security researched tipped the site off to a file on a private server named “myheritage.” The file contained email addresses and hashed passwords, and the breach affected 92,283,889 users, all of those who signed up for MyHeritage up to and including Oct 26, 2017 — the date of the breach.
MyHeritage points out that it only saves one-way hashes of passwords, not the passwords themselves. The hash key differs for each password, the site says. So essentially, anyone who gained access to the breached file only had the list of email addresses.
The site claims there’s no evidence the data was ever used, and also says, “We believe the intrusion is limited to the user email addresses. We have no reason to believe that any other MyHeritage systems were compromised.”
This includes financial data — which MyHeritage doesn’t store on its site, instead relying on third-party billing companies. Nor was any DNA information included in the breach. That data, MyHeritage says, is kept on different systems, behind “added layers of security.”
[Need to make a password change? Check out our roundup of The Best Password Managers.]
MyHeritage is, as you might have expected, investigating the breach using an independent cybersecurity firm. The site also claims it will now be “expediting” work on its own two-factor authentication sign-in system to add more security in the future.
MyHeritage is recommending all registered users change their passwords, for “maximum security.” If you were using your MyHeritage password for other sites, we’d recommend changing your passwords there, as well.
H/T The Verge