Email addresses and passwords of over 92 million MyHeritage customers were found exposed by a security researcher who came across a private server on the Internet that stored such details.
Earlier this week, MyHeritage, a firm that helps people preserve and share family history by storing DNA data and details about family trees, announced that email addresses and hashed passwords of over 92 million of its customers were stolen by an unidentified cyber criminal on 26th October last year. The firm came to know about the breach after it was alerted by a security researcher who discovered a private server on the Internet that stored the stolen information.
"We determined that the file was legitimate and included the email addresses and hashed passwords of 92,283,889 users who had signed up to MyHeritage up to and including Oct 26, 2017 which is the date of the breach.
"MyHeritage does not store user passwords, but rather a one-way hash of each password, in which the hash key differs for each customer. This means that anyone gaining access to the hashed passwords does not have the actual passwords," the firm said in a blog post.
The firm added that no other data related to MyHeritage was found on the private server and sensitive data such as credit card details of customers and family trees and DNA data are secure as they are either stored on trusted third-party billing providers or on segregated systems. It also said that there is no evidence that suggests the stolen data was ever used by the perpetrators or any purpose.
Two-factor authentication to be implemented
To ensure that cyber criminals are not able to access customer accounts, MyHeritage announced that it will implement two-factor authentication soon to allow users to authenticate themselves using a mobile device in addition to a password, which will further harden their MyHeritage accounts against illegitimate access.
Commenting on the massive breach of millions of email addresses and hashed passwords, Rashmi Knowles, EMEA Field CTO at RSA Security said that while only email addresses were compromised, the breach should serve as a serious wake up call for all handlers of genetic data.
"If your password is stolen, it can be updated, but this isn’t the case with genetic information – you only have one genetic identity, so if this is stolen there are potentially much more serious consequences. But many people don’t think about this when applying for such services.
"No matter how secure the organisation, no one is completely risk-free, and if breached, genetic data could be sold on hackers without your consent, or the characteristic data it contains could be used to hijack your online accounts. There’s even a possibility that hackers can amend or even delete genetic data in some cases, which could have serious implications for the victim and the level of healthcare or even health insurance they could access in the future.
"When being asked to provide such a highly sensitive level of personal information, you need to think carefully to decide if the benefit outweighs the risk. If you do choose to provide genetic data to an organisation, it’s vital to enable the maximum security settings, turning on features such as two factor authentication once available, and check what you are ‘agreeing’ to when sharing it, as you may be unwittingly giving access – or even consent – to share this data more widely than is needed, even to other third-party organisations," she added.
In an update posted on 6th June, My Heritage told affected customers that it was resetting all of their passwords and asked them to use fresh passwords for their respective accounts.
"To maximize the security of our users, we have started the process of expiring ALL user passwords on MyHeritage. This process will take place over the next few days. It will include all 92.3 million affected user accounts plus all 4 million additional accounts that have signed up to MyHeritage after the breach date of October 26, 2017.
"As of now, we’ve already expired the passwords of more than half of the user accounts on MyHeritage. Users whose passwords were expired are forced to set a new password and will not be able to access their account and data on MyHeritage until they complete this. This procedure can only be done through an email sent to their account’s email address at MyHeritage. This will make it more difficult for any unauthorized person, even someone who knows the user’s password, to access the account," it said.