Genealogy platform says hackers stole data on 92M users

Genealogy platform says hackers stole data on 92M users
© Getty Images

A web-based genealogy and DNA testing platform revealed this week that hackers breached its system and stole emails and hidden passwords belonging to more than 92 million users.

MyHeritage said it became aware of the breach, which occurred last year, just this week. The company said that it has no evidence that other sensitive information was taken or that the stolen data was used for malicious purposes.

In a blog post on Monday, a company official said MyHeritage had been contacted by an independent security researcher about a file found on a private server that appeared to contain information from MyHeritage users.

ADVERTISEMENT

The company investigated the report and confirmed that the file contained data on more than 92 million users who had signed up for the genealogy service before late October 2017, when the company says the breach occurred.

The data included user email addresses and hashed passwords — passwords that are hidden for security purposes through a one-way encryption function, meaning that the hackers would not be able to view the actual passwords corresponding to user accounts.

“There has been no evidence that the data in the file was ever used by the perpetrators,” Omer Deutsch, MyHeritage’s chief information security officer, wrote. He added that the company has “not seen any activity indicating that any MyHeritage accounts had been compromised” since the date of the breach.

The company emphasized that it does not store sensitive information, like user DNA data or family information, on the same system where it stores user email addresses. Instead, this information is held on a separate system where there are more layers of security. 

“We believe the intrusion is limited to the user email addresses,” Deutsch wrote. “We have no reason to believe that any other MyHeritage systems were compromised.”

The company said it immediately launched an internal company investigation after learning of the possible intrusion, and has also hired a cybersecurity firm to conduct forensic analysis to determine the scope of the breach.

Deutsch said MyHeritage is working “to inform relevant authorities including as per GDPR,” referring to the General Data Protection Regulation, a sweeping data security and privacy law that went into effect in Europe at the end of May.

The company also said it is expediting its plan to enable two-factor authentication for users of the platform.