Online genealogy platform MyHeritage posted a statement on their blog that a security breach occurred in October 2017 after receiving a file containing the email addresses and hashed passwords of all users who signed up. While no other data were reported as stolen, MyHeritage announced they will expedite ongoing development of stricter security measures — such as two-factor authentication (2FA) — and strongly advised users to change their passwords.
According to the statement, the Israeli company’s Chief Information Security Officer received an email from an undisclosed researcher containing a file named “myheritage” that was reportedly retrieved from a server outside the company. An investigation uncovered the file containing a list of 92,283,889 emails and hashed passwords of legitimate users up to October 26, 2017, and found no further exploitation of the system. The company also reported that the breach did not compromise other personally identifiable information (PII) such as credit card information and DNA data, as these were stored on segregated systems. The company is looking further into the incident to determine the depth of the intrusion.
MyHeritage assured to update the public in the coming days, and emphasized that all users should change their passwords immediately “for maximum safety.”
According to the company's website, MyHeritage caters to 95 million users from 196 countries and has satellite offices in North America and Europe. Following the implementation of the General Data Protection Regulation (GDPR), the company is obliged to report a breach within 72 hours after becoming aware of the security incident. MyHeritage holds more than 900 collections for Europe pertaining to census details such as birth registries, immigration and emigration records, and voter and academic institutions’ lists, aside from DNA samples paying customers sent for analysis.
Data breaches remain a concern as more companies move to online solutions. Here are some best practices for safeguarding sensitive information online:
Practice network segmentation and data classification. A strict access and authorization policy not only limits who has access to specific data, but also promotes an environment and culture of security.
Make data privacy and protection a shared responsibility across all levels of the organization with employee education.
Implement 2FA for user accounts. A combination of another authentication layer provides an additional line of defense.
Set up a virtual private network (VPN) to secure databases and limit intrusion.
Use stronger, more complicated passwords. Never use the same access credentials for different online platforms, and change them regularly.