The DNA testing service claimed in a statement on Monday that a security researcher contacted its CISO after finding a file containing the data on a private server outside of the company.
The firm claimed that there’s no evidence the data has been used by the hackers or that any other MyHeritage systems, such as those containing card information or DNA data, were compromised.
“Immediately upon receipt of the file, MyHeritage’s Information Security Team analyzed the file and began an investigation to determine how its contents were obtained and to identify any potential exploitation of the MyHeritage system,” the statement continued.
“We determined that the file was legitimate and included the email addresses and hashed passwords of 92,283,889 users who had signed up to MyHeritage up to and including Oct 26, 2017 which is the date of the breach. MyHeritage does not store user passwords, but rather a one-way hash of each password, in which the hash key differs for each customer. This means that anyone gaining access to the hashed passwords does not have the actual passwords.”
The firm has acted swiftly to set up an incident response team and an independent forensic review and said it will be rolling out 2FA to users soon. There’s also a 24/7 security customer support team on hand to answer any questions.
In the meantime, it urged users to change their passwords.
Commentators were broadly sympathetic to MyHeritage, claiming it did most of the security basics right.
“This breach of MyHeritage seems to be the rare instance in which a company in possession of sensitive data adhered to some of the best practices in password posture by not storing them in plain text but as one-way hashes,” said Balbix CEO, Gaurav Banga. It’s unfortunate that user email addresses were exposed, but by partitioning servers, using third parties for payment processing and encrypting passwords, MyHeritage has — at least so far — minimized the damage of this breach.”