Data Exposed for 92 Million Users of DNA Testing Company

June 6, 2018 by Paul Ausick

An Israel-based genealogy and DNA testing firm, MyHeritage, confirmed on Monday a report that a file including the email addresses of more than 92 million users had been “found” on a private server outside the company. In addition to email addresses, hashed (mathematically scrambled and difficult to reverse) versions of user passwords were also contained in the wandering file.

According to the company’s blog post “no other data related to MyHeritage was found on the private server.” Since the data breach that occurred on October 26, 2017, the company said it has found no evidence that the data in the file has ever been used.

The company outlined the steps it was taking to determine what happened and to strengthen the security of its users’ data, including rolling out a two-factor authentication feature that customers may use, if they so choose. MyHeritage also encourages users to change their passwords.

Security researcher Brian Krebs points out that MyHeritage’s assurances about the security of user DNA and ancestry data depend on the strength of the hashing routine used to scramble user passwords. The company said it does not store user passwords, “but rather a one-way hash of each password, in which the hash key differs for each customer.”

Which hashing algorithm the company used can make a big difference here. As described and if properly implemented, MyHeritage’s password security system would be very effective.

Krebs also notes:

[If the data file was stolen and not inadvertently exposed, t]here is a good chance that the attackers will be trying to crack all user passwords. And if any of those passwords are crackable, the attackers will then of course get access to the more personal data on those users.

An obvious question is why MyHeritage doesn’t just force all its customers to reset their passwords rather than just recommending a reset. That way if the file was indeed stolen and the hashed passwords are cracked by the thieves those passwords would be worthless.

For more details check out Krebs on Security’s website.

Sponsored: Want to Retire Early? Here’s a Great First Step

Want retirement to come a few years earlier than you’d planned? Or are you ready to retire now, but want an extra set of eyes on your finances?

Now you can speak with up to 3 financial experts in your area for FREE. By simply clicking here you can begin to match with financial professionals who can help you build your plan to retire early. And the best part? The first conversation with them is free.

Click here to match with up to 3 financial pros who would be excited to help you make financial decisions.