Massive Breaches: 92 Million Users’ Details Leaked by DNA Testing Site


When you trust a company for genealogy and DNA testing services, you trust them with your highly sensitive private data. While that trust is often expected by customers, it's rarely earned. Security researchers discovered earlier this week that over 92 million account details of MyHeritage customers were sitting on a private server outside of the company.

The Israel-based ancestry platform offers services like creation of family trees to discover familial and ancestry records. The company that reportedly has over 35 million family trees on its site has confirmed a breach that affects 92,283,889 of its users.

Security Researcher Develops Normal-Looking Lightning Cable With a Chip That Can Steal Passwords

In an announcement, the company revealed that its Chief Information Security Officer received a message from a security researcher on June 4 that he had discovered a file named myheritage on a server outside of the company. This server contained email addresses and hashed passwords.

"Our Information Security Team received the file from the security researcher, reviewed it, and confirmed that its contents originated from MyHeritage and included all the email addresses of users who signed up to MyHeritage up to [and including] October 26, 2017, and their hashed passwords," the company has disclosed.

The company said that it doesn't store user passwords but uses a unique one-way hash for each. "This means that anyone gaining access to the hashed passwords does not have the actual passwords," MyHeritage assured.

MyHeritage genealogy site says no DNA data at risk; only emails and password hashes exposed

MyHeritage has assured that no payment information or DNA data is at risk. The company said that payment information is handled by "trusted third-party billing providers" and family trees and DNA data is stored on segregated systems with added layers of security. MyHeritage also said that it will be rolling out two-factor authentication to all users.

The quick response of MyHeritage deserves to be applauded. However, in the future we are probably going to be seeing this speed when it comes to public disclosures since companies are now required to be proactive with these disclosures under GDPR's 72-hours disclosure policy.

Samsung Admits That Last Week’s Find My Mobile Notification Was Due to a Data Breach

"We are taking steps to inform relevant authorities including as per GDPR," the DNA testing site notes.

While last year was all about data breaches, this marks the first mega breach of 2018 possibly second biggest after 2017's Equifax breach. MyHeritage users are recommended to change their passwords and enable 2FA when it goes live.