MyHeritage data breach – 92.3 million user credential exposed

A security researcher discovered email addresses and hashed passwords of roughly 92.3 million Myheritage users stored on a private server outside the company.

The huge trove of data was contained in a file named “,” according to the experts the information is authentic and comes from Myheritage.

“Today, June 4, 2018 at approximately 1pm EST, MyHeritage’s Chief Information Security Officer received a message from a security researcher that he had found a file named “myheritage” containing email addresses and hashed passwords, on a private server outside of MyHeritage.” reads the data breach notification published by the company.

“Our Information Security Team received the file from the security researcher, reviewed it, and confirmed that its contents originated from MyHeritage and included all the email addresses of users who signed up to MyHeritage up to October 26, 2017, and their hashed passwords.”

MyHeritage offers a service for the investigation of family history and the reconstruction of the family tree through the DNA analysis.

The expert who made the disconcerting discovery reported it to the company on June 4, 2018, the incident seems to have affected those users who signed up for the service before and including Oct. 26, 2017.

The expert only found usernames and hashed passwords, no other info was discovered on the server hosting the file.

The company pointed out that passwords were not stored in a plain text but did not explain the hashing mechanism used to protect them.

MyHeritage handles billing information through third parties, while DNA data and other sensitive data are stored on segregated systems.

At the time the company hasn’t observed any abuse of compromised data.

“Since Oct 26, 2017 (the date of the breach) and the present we have not seen any activity indicating that any MyHeritage accounts had been compromised.” continues the notification.

“We believe the intrusion is limited to the user email addresses. We have no reason to believe that any other MyHeritage systems were compromised.”

The company set up an Information Security Incident Response Team to investigate the security breach and is going to hire cybersecurity firm to conduct comprehensive forensic investigations.

The company announced it is planning to introduce the two-factor authentication feature to provide a further protection to its users.

“MyHeritage users who have questions or concerns about this incident can contact our security customer support team via email on privacy@myheritage.com or by phone via the toll-free number (USA) +1 888 672 2875, available 24/7.” concluded the company.

“For all registered users of MyHeritage, we recommend that for maximum safety, they change their password on MyHeritage.”

[adrotate banner=”9″]

[adrotate banner=”12″]

Pierluigi Paganini

(Security Affairs – privacy, data breach)

[adrotate banner=”5″]

[adrotate banner=”13″]