One of the largest DNA testing services recently uncovered a breach that affects more than 90 million customers.
A security researcher found, on a private server, the email addresses and hashed passwords of every customer that signed up for the service before October 26 of last year.
MyHeritage, an Israel-based DNA testing service, reported the breach in a blog post yesterday:
Today, June 4, 2018 at approximately 1pm EST, MyHeritage’s Chief Information Security Officer received a message from a security researcher that he had found a file named myheritage containing email addresses and hashed passwords, on a private server outside of MyHeritage.
The MyHeritage information security team was able to verify the file and confirm that it originated from the website’s user database.
Damage seems to be limited to customer email addresses. While passwords were part of the compromised file, each was hashed using an algorithm that renders them useless in the event of the breach. Hashed passwords should generally be considered secure. But since the official statement makes no mention of the hashing algorithm used, it’s really impossible to say at this point.
MyHeritage doesn’t believe any other systems were compromised. Credit card information, for example, isn’t stored on the website but with trusted third-party payment processors like BlueSnap and PayPal.
Other types of sensitive data, such as family trees and DNA information, are stored on a segregated system that includes added layers of security not present on those storing the email addresses, according to the company.
Since learning of the incident, the company has set up a response team to investigate.
Immediately upon learning about the incident, we set up an Information Security Incident Response Team to investigate the incident. We are also taking immediate steps to engage a leading, independent cybersecurity firm to conduct comprehensive forensic reviews to determine the scope of the intrusion; and to conduct an assessment and provide recommendations on steps that can be taken to help prevent such an incident from occurring in the future.
MyHeritage has also taken steps to inform relevant authorities, as per new GDPR rules.
As always when dealing with breaches of this nature, it certainly wouldn’t be a bad idea to change your password.