Hacked: 92 Million Account Details for DNA Testing Service MyHeritage

[dufus]

When you sign up to a website handling sensitive information, perhaps a medical service or social network, one of the basic things you’re probably hoping for is that the site can keep control of its users’ data. Unfortunately for customers of MyHeritage, a genealogy and DNA testing service, a researcher uncovered 92 million account details related to the company sitting on a server, according to an announcement from MyHeritage.

The data relates to users who signed up to MyHeritage up to and including October 26, 2017—the date of the breach—the announcement adds.

Users of the Israeli-based company can create family trees and search through historical records to try and uncover their ancestry. In January 2017, Israeli media reported the company has some 35 million family trees on its website.

In all, the breach impacted 92,283,889 users, according to MyHeritage’s disclosure.

On Monday, MyHeritage says the company’s chief information security officer “received a message from a security researcher that he had found a file named myheritage containing email addresses and hashed password, on a private server outside of MyHeritage,” the announcement reads. Password hashes are cryptographic representations of passwords, meaning companies don’t have to store the actual password itself, although, depending on the algorithm used, hackers may still be able to crack them.

Got a tip? You can contact this reporter securely on Signal on +44 20 8133 5190, OTR chat on [email protected], or email [email protected].

MyHeritage’s post notes that “the hash key differs for each customer,” suggesting the company is also using a so-called salt; an additional, typically unique value added to the password before hashing to make the hash itself more resilient to cracking.

On its website, MyHeritage says "your privacy and the security of your data is as important to us as it is to you. We have made significant investments to ensure that your account and personal details are secured and protected by multiple layers of encryption. All testing is done in our world-leading CLIA-certified, CAP-accredited laboratory in the United States."

MyHeritage says it has no reason to believe other user data was compromised. Customer credit card information is processed by third-parties such as PayPal, and users’ DNA data is stored on systems separate to those containing customer’s email addresses, the company claimed.

The lesson: Although it appears that hackers have not accessed MyHeritage accounts themselves, as the company notes, this is still a good opportunity to remember not to use the same password on multiple sites and services. MyHeritage also says in its announcement that it will be rolling out two factor authentication to all users; if you’re concerned about someone accessing your MyHeritage data in the future, it is certainly worth enabling that feature too.

https://motherboard.vice.com/en_us/article/vbqyvx/myheritage-hacked-data-breach-92-million

 

Not only is information on your DNA subject to hacks: please be aware that Ancestry.com takes your DNA rights away from you, to use them as they please:

The article goes on to state: "There are three significant provisions in the AncestryDNA Privacy Policy and Terms of Service to consider on behalf of yourself and your genetic relatives: (1) the perpetual, royalty-free, world-wide license to use your DNA; (2) the warning that DNA information may be used against “you or a genetic relative”; (3) your waiver of legal rights."

[dMog]

did they hack the site for medical/dna info...OR , credit card info

[Rusty]

Just now, dMog said:

did they hack the site for medical/dna info...OR , credit card info

Probably what ever they could get. People that give their DNA to these companies are IMO very naive.