What to know about the MyHeritage BreachYet another breach is hitting the headlines. This time MyHeritage, the DNA testing and genealogy service, had user credentials stolen from its website. The revelation comes on the heels of other shocking privacy-related news involving the DNA testing industry, but luckily in this case, aside from email addresses, no sensitive personal information or DNA was accessed. What else should you know about the breach? Continue reading to get the lowdown on the MyHeritage hack.

What happened?

Midday Monday, June 4, a security researcher contacted MyHeritage to notify the company that he had found its user information on a private server belonging to an unknown party, as noted in the company’s statement. After investigating, MyHeritage’s security team confirmed that the file came from MyHeritage’s servers and that it included all of the email address of users who signed up for the site on or before Oct. 26, 2017, the date when the breach happened. In total, 92,283,889 users had their emails taken. The private server also contained password hashes instead of real (plain-text) passwords. Hashes cryptographically alter passwords and MyHertiage has deployed one-way hashes, making it extremely unlikely that the passwords can be recreated from the hash. Furthermore, each hash used a different hash key, meaning that anyone who wanted to bother retrieving the data would have to individually decipher each and every password. Thankfully, the company keeps payment details and DNA test results on separate servers and, currently, evidence suggests that the intrusion was limited to just the server containing emails and hashed passwords. While it’s not apparent what lead to the breach, or who controls and has access to this private server, it does seem like MyHeritage is taking the event and its security seriously. Besides implementing highly recommended security practices like the ones mentioned before, the company is working with an independent cybersecurity firm to investigate the incident, it informed relevant authorities, per GDPR requirements, it’s working on making two-factor authentication available to all users soon and it set up a 24/7 security customer support team to assist customers.

What should you do?

If you’re a MyHeritage user, the most immediate threat is that your email has been compromised. If there are accounts or services that share both an email address and password with your MyHeritage account, you need to change them immediately. If you need help coming up with strong passwords or you have a hard time remembering all of your passwords, consider using a password manager, which will serve as a digital vault for passwords. Depending on the encryption and hashing scheme MyHeritage used, it’s possible that individual passwords could be decrypted, but the process will likely prove time-consuming, given that there are over 92 million entries. As such, you’ll also need to follow any news about MyHeritage to ensure that you’re aware of any further developments regarding this story. Additionally, the company promises to expedite the release of its two-factor authentication feature, so when that becomes available, you should start using it. Finally, for added security, you might also want to consider using different email addresses across different services — remember that you should also be using different passwords for each service. Accounts and services with access to your most sensitive information, like your DNA, should get unique email addresses and/or phone numbers, if possible, to make them harder to compromise.

As we’ve pointed out many times before, data breaches are unfortunately a norm in today’s world, which means you’ll want to stay in the know with such news. Keep reading our data breach blog to learn about the latest breaking stories and how to protect yourself when a breach strikes.