MyHeritage – a genealogy site specializing in family trees and DNA testing – is investigating a major security breach after a security researcher found email addresses and hashed passwords belonging to 92 million of its users. Information in the file dated back to October 27 2017, so anyone who registered an account before that date could be affected.
After discovering the email data in a plain text file, the researcher alerted the company, which set its own security staff to work. It also enlisted the help of an independent cybersecurity team
The security experts found no evidence of other user data on the server, and because the passwords were hashed, only the email addresses were readable. MyHeritage also noted that there's no evidence the data on the server was ever used.
"MyHeritage does not store user passwords, but rather a one-way hash of each password, in which the hash key differs for each customer," the site said in a blog post. "This means that anyone gaining access to the hashed passwords does not have the actual passwords."
Relative risks
Other data, including that used to build family trees, is stored separately and wasn't compromised, and there was no risk of credit card details being stolen because the site processes payments using PayPal exclusively.
The email addresses are valuable though, and such a huge list would be a handy starting point for criminals to launch a phishing campaign.
This leak is particularly embarrassing because its discovery comes immediately after implementation of the EU's new General Data Protection Regulation (GDPR), which stresses that any company that holds personal information must take care to stop it falling into the wrong hands – information that forms the foundation of sites like MyHeritage.
Get daily insight, inspiration and deals in your inbox
Sign up for breaking news, reviews, opinion, top tech deals, and more.
MyHeritage recommendeds that all its users change their passwords just in case, and notes that it'll be upgrading to two-factor authentication soon, enabling users to lock down their accounts more tightly – particularly against phishing attacks.
- The best free password manager for securing online accounts
Via Engadget
Cat is TechRadar's Homes Editor specializing in kitchen appliances and smart home technology. She's been a tech journalist for 15 years, and is here to help you choose the right devices for your home and do more with them. When not working she's a keen home baker, and makes a pretty mean macaron.