92 million user accounts at risk after genealogy and DNA-testing site MyHeritage is hacked

MyHeritage -- a website that helps people research their family tree and also offers a DNA testing service -- has suffered a "cybersecurity incident". A file containing the usernames and hashed passwords of more than 92 million users was discovered on an external server by a security researcher.

The file was found to be genuine and MyHeritage is now undertaking an investigation to determine what happened. The security breach affects all users who signed up to the site up to October 26, 2017. The company says that it is taking steps to inform the relevant authorities in line with GDPR.

See also:

• Ticketfly remains offline following hack attack in which user data was accessed
• Canada: Bank of Montreal and Simplii Financial hit by hackers
• US and UK issue joint warning about Russian hacking of routers and ISPs

It seems that MyHeritage fell victim to a hack attack in late October last year, and it was at this point that the details of 92,283,889 users appear to have been stolen. The company says that there is no indication that the data has been used and it stresses: "MyHeritage does not store user passwords, but rather a one-way hash of each password, in which the hash key differs for each customer. This means that anyone gaining access to the hashed passwords does not have the actual passwords."

In a statement about the incident, MyHeritage says:

The security researcher reported that no other data related to MyHeritage was found on the private server. There has been no evidence that the data in the file was ever used by the perpetrators. Since Oct 26, 2017 (the date of the breach) and the present we have not seen any activity indicating that any MyHeritage accounts had been compromised.

We believe the intrusion is limited to the user email addresses. We have no reason to believe that any other MyHeritage systems were compromised. As an example, credit card information is not stored on MyHeritage to begin with, but only on trusted third-party billing providers (e.g. BlueSnap, PayPal) utilized by MyHeritage. Other types of sensitive data such as family trees and DNA data are stored by MyHeritage on segregated systems, separate from those that store the email addresses, and they include added layers of security. We have no reason to believe those systems have been compromised.

The company has set up what it refers to as an "Information Security Incident Response Team" in order to investigate the incident, and says that it is trying to determine the scope of the incident and find out how to prevent it happening again. A round-the-clock support team has been set up (contactable at [email protected] or by phone via the toll-free number (USA) +1 888 672 2875).

Users are advised to change their current passwords as a precautionary measure, and MyHeritage says that it is now expediting its work on two-factor authentication.