Millions of email addresses leaked from genealogy site MyHeritage

MyHeritage homepage

MyHeritage – a genealogy site specializing in family trees and DNA testing  – is investigating a major security breach after a security researcher found email addresses and hashed passwords belonging to 92 million of its users. Information in the file dated back to October 27 2017, so anyone who registered an account before that date could be affected.

After discovering the email data in a plain text file, the researcher alerted the company, which set its own security staff to work. It also enlisted the help of an independent cybersecurity team

The security experts found no evidence of other user data on the server, and because the passwords were hashed, only the email addresses were readable. MyHeritage also noted that there's no evidence the data on the server was ever used. 

"MyHeritage does not store user passwords, but rather a one-way hash of each password, in which the hash key differs for each customer," the site said in a blog post. "This means that anyone gaining access to the hashed passwords does not have the actual passwords."

Relative risks

Other data, including that used to build family trees, is stored separately and wasn't compromised, and there was no risk of credit card details being stolen because the site processes payments using PayPal exclusively.

The email addresses are valuable though, and such a huge list would be a handy starting point for criminals to launch a phishing campaign.

This leak is particularly embarrassing because its discovery comes immediately after implementation of the EU's new General Data Protection Regulation (GDPR), which stresses that any company that holds personal information must take care to stop it falling into the wrong hands – information that forms the foundation of sites like MyHeritage.

MyHeritage recommendeds that all its users change their passwords just in case, and notes that it'll be upgrading to two-factor authentication soon, enabling users to lock down their accounts more tightly – particularly against phishing attacks.

Via Engadget