MyHeritage breach exposes 92M emails and hashed passwords

The genetic analysis and family tree website MyHeritage was breached last year by unknown actors, who exfiltrated the emails and hashed passwords of all 92 million registered users of the site. No credit card info, nor (what would be more disturbing) genetic data appears to have been collected.

The company announced the breach on its blog , explaining that an unnamed security researcher contacted them to warn them of a file he had encountered “on a private server,” tellingly entitled “myheritage.” Inside it were the millions of emails and hashed passwords.

Hashing passwords is a one-way encryption process allowing sensitive data to be stored easily, and although there are theoretically ways to reverse hashing, they involve immense amounts of computing power and quite a bit of luck. So the passwords are probably safe, but MyHeritage has advised all its users to change theirs regardless, and they should.

The emails are not fundamentally revealing data; billions have been exposed over the years through the likes of the Equifax and Yahoo breaches . They’re mainly damaging in connection with other data. For instance, the hackers could put 2 and 2 together by cross-referencing this list of 92 million with a list of emails whose corresponding passwords were known via some other breach. That’s why it’s good to use a password manager and have unique passwords for every site.

MyHeritage’s confidence that other data was not accessed appears to be for a good reason.

Credit card information is not stored on MyHeritage to begin with, but only on trusted third-party billing providers (e.g. BlueSnap, PayPal) utilized by MyHeritage. Other types of sensitive data such as family trees and DNA data are stored by MyHeritage on segregated systems, separate from those that store the email addresses, and they include added layers of security. We have no reason to believe those systems have been compromised.

Of course, until recently the company had no reason to believe the other system had been compromised, either. That’s one of those tricky things about cybersecurity. But we can do the company the credit of understanding from this statement that it has looked closely at its more sensitive servers and systems since the breach and found nothing.

Two-factor authentication was already in development, but the team is “expediting” its rollout, so if you’re a user, be sure to set that up as soon as it’s available.

A full report will likely take a while; the company is planning to hire an external security firm to look into the breach, and is working on notifying relevant authorities under U.S. laws and GDPR, among others.

I’ve asked MyHeritage for further comment and clarification on a few things and will update this post if I hear back.