A file named myheritage discovered on an outside private server contained the email addresses and hashed passwords of more than 92 million MyHeritage customers, the genealogy and DNA testing company's CISO said.
“Immediately upon receipt of the file, MyHeritage's Information Security Team analyzed the file and began an investigation to determine how its contents were obtained and to identify any potential exploitation of the MyHeritage system,” CISO Omer Deutsch wrote in a Monday blog post. The file contained the login information of MyHeritage users who had signed up for the service “up to and including Oct 26, 2017, which is the date of the breach.”
The company does not store user passwords but instead stores a one-way hash, “in which the hash key differs for each customer,” Deutsch wrote, adding that there was no evidence miscreants used the data found in the file, nor was any other MyHeritage data found on a private server.
“It appears that good cryptographic practices were in place, such as unique salts. However, the organization fell short in detecting the intrusion and data breach, as evidenced by the seven-month delay, and the fact they were notified by a third party,” said Rick Moy, chief marketing officer at Acalvio. “By reacting to a breach quicker, defenders can minimize the time attackers have to exploit whatever knowledge they've gained.”
Urging customers to change their passwords, MyHeritage said they should also use its two-factor authentication feature, which the company is “expediting.” Under the new GDPR rules, MyHeritage is reporting the breach to “relevant authorities” and is currently engaging a cybersecurity firm for a forensics review and to augment the work of its own newly formed Information Security Incident Response Team.
“You never know when your account or personal information might be as risk, which is why we always recommend you take your online security seriously,” said Sandor Palfy, CTO, Identity & Access Management, at LogMeIn. “Passwords that are lost, shared, reused or weak carry tremendous risk as cyber threats grow more sophisticated. Simple steps such as creating secure passwords, never reusing them and turning on two-factor authentication with your accounts whenever possible -- a feature that MyHeritage says it plans to deploy in the future -- will prevent data loss in the event of a third-party breach.”
Mukul Kumar, CISO and vice president of cyber practice at Cavarin, said that “though critical information was not compromised, it is yet another example of how breaches across multiple web properties can be used to build a more complete profile of an individual.” Kumar explained that “as noted, a top priority must be to use unique passwords, but even when browsers recommend this, the reality is very different. How many of you reuse the same password across two or more sites? What is your personal cyber posture? The second question is, from where was this data obtained? Does MyHeritage leverage the public cloud? If so, were they following best practices to ensure their cloud security posture, or does this breach follow so many others where cloud storage resources were left unsecured and unencrypted?”