MyHeritage which is an Israel-based DNA testing service has revealed that the company’s website was cracked last year by unknown attackers, who stole login credentials of its more than 92 million customers. The company helps people to uncover their family history and ethnic origin using their swabs of DNA.
This breach was found on June 4th by an unnamed security researcher after he found a database file named “myheritage” on a private server located outside of the company. It consists of a pile of email addresses and hashed passwords which he then shared with the MyHeritage team. Since the passwords were hashed the original passwords were not exposed.
On analyzes of the database it shows that it included the details of nearly 92.3 million users who are the customers who signed up for the MyHeritage website before October 27, 2017.
The MyHeritage security team is still investigating the data breach to find any potential exploitation of its system. However, the company confirmed that other details such as credit card details, family trees and genetic data were not breached and are stored on a separate system.
In a blog published by MyHeritage, it reads that the Credit card information is not stored on their website but only on trusted third-party billing providers like BlueSnap, PayPal etc. which are utilized by MyHeritage. And sensitive details like family trees and DNA data are stored on segregated highly secured systems which are separate from those which stores the email addresses. Those systems are not compromised. The company also confirmed that the accounts are not compromise.
The company does not store the passwords as plaintext instead they use a hashed algorithm with a unique salt to protect the passwords which makes it more resilient to cracking. So your stolen passwords are believed to be safe. Even then, the company advises its users to change their passwords just to be on the safer side.
MyHeritage have hired an independent cybersecurity firm to conduct a forensic investigation of the data breach. They are also adding a two-factor authentication feature as an option for users.