Data Exposed for 92 Million Users of DNA Testing Company

An Israel-based genealogy and DNA testing firm, MyHeritage, confirmed on Monday a report that a file including the email addresses of more than 92 million users had been “found” on a private server outside the company. In addition to email addresses, hashed (mathematically scrambled and difficult to reverse) versions of user passwords were also contained in the wandering file.

According to the company’s blog post “no other data related to MyHeritage was found on the private server.” Since the data breach that occurred on October 26, 2017, the company said it has found no evidence that the data in the file has ever been used.

The company outlined the steps it was taking to determine what happened and to strengthen the security of its users’ data, including rolling out a two-factor authentication feature that customers may use, if they so choose. MyHeritage also encourages users to change their passwords.

Security researcher Brian Krebs points out that MyHeritage’s assurances about the security of user DNA and ancestry data depend on the strength of the hashing routine used to scramble user passwords. The company said it does not store user passwords, “but rather a one-way hash of each password, in which the hash key differs for each customer.”

Which hashing algorithm the company used can make a big difference here. As described and if properly implemented, MyHeritage’s password security system would be very effective.

Krebs also notes:

[If the data file was stolen and not inadvertently exposed, t]here is a good chance that the attackers will be trying to crack all user passwords. And if any of those passwords are crackable, the attackers will then of course get access to the more personal data on those users.

An obvious question is why MyHeritage doesn’t just force all its customers to reset their passwords rather than just recommending a reset. That way if the file was indeed stolen and the hashed passwords are cracked by the thieves those passwords would be worthless.

For more details check out Krebs on Security’s website.