MyHeritage Breach Could Affect 92.3 Million Users
Genealogy websites have grown in popularity over the years. To help users trace their genetic roots, these companies offer services ranging from document searches to DNA testing.
One of these businesses, MyHeritage, recently reported a data breach that could have affected 92.3 million users. MyHeritage was made aware of the breach when a security researcher contacted the Chief Information Security Officer. The researcher sent along a file that he had found on a private server, and MyHeritage determined the email addresses and hashed passwords were from their server.
Anyone who signed up before October 26, 2017 could have been affected.
MyHeritage believes the breach is limited to email addresses and hashed passwords.
“We have no reason to believe that any other MyHeritage systems were compromised. As an example, credit card information is not stored on MyHeritage to begin with, but only on trusted third-party billing providers (e.g. BlueSnap, PayPal) utilized by MyHeritage. Other types of sensitive data such as family trees and DNA data are stored by MyHeritage on segregated systems, separate from those that store the email addresses, and they include added layers of security. We have no reason to believe those systems have been compromised,” the company reported on its website.
Since discovering the breach on June 4, the company has taken steps to help users secure their accounts. Even though the passwords were hashed, the company has expired passwords to force users to create a new password.
They have also advised users to take an abundance of caution and change their passwords on any other sites where they may have used the same password. Most security experts recommend people use a different password for every account so if one password is stolen, it will not affect other accounts.
MyHeritage is also asking users to enable two-factor authentication. With two-factor authentication, any time a user attempts to access the site from a new computer, tablet or phone, or if it has been more than a month since they last logged on, they will receive a verification code on their phone which must be entered to log-in.
The company is still in the process of contacting users, so customers have been advised to wait patiently if they have not yet received an email.