MyHeritage, a genealogy and DNA testing company based in Israel, recently announced a security researcher found a file online that contained the email addresses and hashed passwords of more than 92 million users of its site.
So far, MyHeritage has said there is no reason for people to believe any other user data was compromised, and it has urged all users of the site to change their passwords. According to the company, all sensitive DNA information is stored on IT systems separate from the user database, which means they would not have been included in this breach. The passwords were also hashed and turned into gibberish that would theoretically be difficult to crack.
Still, the breach happened. MyHeritage has also not said which method it used to hash its passwords, but indicated it added unique elements to each passwords to make them harder to crack.
The researcher who discovered the file with the user database and hashed passwords reported it on Monday, June 4. The file contained information for users who created accounts up to and including October 26, 2017, which MyHeritage has determined was the day of the breach.
What is the level of security risk?
With the information MyHeritage has released regarding its password hashing system, it’s difficult to say just how likely it is that malicious attackers could access those passwords and then obtain sensitive user information. However, there are several other concerning factors in this breach.
First and foremost is the fact that only a username and password were used to protect each user’s DNA information. This is extremely sensitive personally identifying information. Typically a site would require backup challenges, such as security features to prove the user is not a bot, or a series of questions with unique answers for each individual (pet names, mother’s maiden name, name of street on which one grew up, etc.). Only now is MyHeritage starting to add in two-factor authentication, but this has been a security standard across many industries dealing with sensitive information for some time.
Second, it took a full two days before MyHeritage decided to force password resets on all user accounts. Initially the plan seemed to be to hope the users would log in and change their passwords themselves. This added an extra two days of time for whoever had the hashed passwords to break into user accounts.
It’s certainly a mess for MyHeritage to clean up, and just another example of why it’s so important to make data security a priority, no matter how large your web presence or company is. Password security and general network security is important.
For more information about how you can improve your network security, contact us today at IDMI.Net.