‘Limited’ Breach at Israeli Genealogy Site MyHeritage Compromises 92m Accounts

Send in e-mailSend in e-mail
Send in e-mailSend in e-mail
The Hebrew homepage of the MyHeritage website.
The Hebrew homepage of the MyHeritage website.Credit: Screengrab

A security researcher has uncovered a breach at genealogy site MyHeritage, though the Israel-based company says there is no evidence that anything more than email addresses – of more than 92 million users – had been at risk of exposure.

MyHeritage, which is based in Or Yehuda near Tel Aviv, collects DNA from users via home test kits. “We believe the intrusion is limited to the user email addresses,” it said.

In a blog post, the company said the information reached it on Monday and the exposed details included users' login information – email addresses and so-called hashed passwords.

“MyHeritage’s Chief Information Security Officer received a message from a security researcher that he had found a file named myheritage containing email addresses and hashed passwords, on a private server outside of MyHeritage,” said the blog post written by Omer Deutsch, the company’s chief information security officer.

“Our Information Security Team received the file from the security researcher, reviewed it, and confirmed that its contents originated from MyHeritage and included all the email addresses of users who signed up to MyHeritage up to October 26, 2017, and their hashed passwords.”

Compared to many similar incidents in the past, this breach seems less serious – first because of the company’s quick response, but also because MyHeritage stores passwords through a one-way “hash” function, an algorithm that stores the password in a way that prevents it from being regenerated.

The algorithm takes the information and generates a sequence of characters so that the original information cannot be deciphered. Thus anyone gaining access to hashed passwords does not have the actual passwords.

Still, when it comes to relatively short data strings like most passwords, cracking the algorithm is not impossible. Because there are several known and popular hash algorithms like MD5 or SHA-1, in theory it could be simple to reverse the encryption and expose the original password. But wholesale exposure would still be an arduous process.

In the post, the company noted that “the hash key differs for each customer.” Reporting on the breach for the website Motherboard, Joseph Cox said this suggests that “the company is also using a so-called salt; an additional, typically unique value added to the password before hashing to make the hash itself more resilient to cracking.”

Nevertheless, MyHeritage suggested that users change their passwords for the site. It recommended using complex passwords, changing them frequently and not using the same password for a different website.