Israel-based website MyHeritage, a genealogy resource that specializes in family trees and DNA testing has confirmed a major security breach after a research discovered email addresses and hashed passwords belonging to 92 million members of the platform.
In a public disclosure, MyHeritage admitted to the leak of a private server which exposed data belonging to users who signed up to the date of the breach on October 26, 2017. The company, headquartered in Israel, has offices in Tel Aviv, Utah, California and Ukraine, claims to have over 35 million family trees on its website.
“We determined that the file was legitimate and included the email addresses and hashed passwords of 92,283,889 users who had signed up to MyHeritage up to and including Oct 26, 2017 which is the date of the breach,” the company said.
The email addresses were discovered in a plain text file by the security researcher, who alerted the company before its own staff began to investigate the incident. The company also enlisted the services of a forensic cybersecurity team, who the company claims found no evident of other user data within the leaked server. Only the email addresses were readable since the passwords were hashed.
MyHeritage does not store user passwords, but rather a one-way hash of each password, in which the hash key differs for each customer. This means that anyone gaining access to the hashed passwords does not have the actual passwords.
Other data including details required to build family trees were stored separately and weren’t compromised. No payment card details were stolen either due to the website’s usage of PayPal as a payments processor.
MyHeritage is recommending all users to change their passwords and claims it will ‘soon’ implement two-factor authentication (2FA) for added security.
Image credit: MyHeritage.