The big news on the genie grapevine this week, is that unfortunately MyHeritage has had a major security breach.
While a security breach is not good for anyone at any time, the way that MyHeritage have responded to it is to be commended. Here’s a portion of their public announcement…
“Today, June 4, 2018 at approximately 1pm EST, MyHeritage’s Chief Information Security Officer received a message from a security researcher that he had found a file named myheritage containing email addresses and hashed passwords, on a private server outside of MyHeritage. Our Information Security Team received the file from the security researcher, reviewed it, and confirmed that its contents originated from MyHeritage and included all the email addresses of users who signed up to MyHeritage up to October 26, 2017, and their hashed passwords.
MyHeritage’s Information Security Team analyzed the file and began an investigation to determine how its contents were obtained and to identify any potential exploitation of the MyHeritage system. We determined that the file was legitimate and included the email addresses and hashed passwords of 92,283,889 users who had signed up to MyHeritage up to and including Oct 26, 2017 which is the date of the breach. MyHeritage does not store user passwords, but rather a one-way hash of each password, in which the hash key differs for each customer. This means that anyone gaining access to the hashed passwords does not have the actual passwords.”
They also state that …
“We believe the intrusion is limited to the user email addresses. We have no reason to believe that any other MyHeritage systems were compromised. As an example, credit card information is not stored on MyHeritage to begin with, but only on trusted third-party billing providers (e.g. BlueSnap, PayPal) utilized by MyHeritage. Other types of sensitive data such as family trees and DNA data are stored by MyHeritage on segregated systems, separate from those that store the email addresses, and they include added layers of security. We have no reason to believe those systems have been compromised.”
In response to the breach, MyHeritage have already set up an Information Security Incident Response Team to investigate the incident, and are also taking steps to engage an independent cybersecurity firm to conduct comprehensive forensic reviews to determine the scope of the intrusion; and to provide an assessment and recommendations on steps that can be taken to help prevent such an incident from occurring in the future.
They have also set up a support team to assist customers who have concerns or questions about the incident. You can contact them at: email at email@example.com or by phone via the toll-free number (USA) +1 888 672 2875, available 24/7.
So what do users need to do?
At this stage they simply suggest you change your password. You can find the steps on how to do this here.
Read the full report
You can read the full report on the incident from MyHeritage here