DNA TESTING WEBSITE MyHeritage has admitted it fell victim to a data breach that affected the email addresses and hashed passwords of its 92 million users.
In a statement, the Israel-based ancestry platform said the breach occurred on 26 October 2017 and hit users who signed up for the service on or before that date, totalling 92,283,889 people.
MyHeritage only became aware of the breach on Monday this week, more than seven months after the breach occurred, when an unidentified security researcher sent the company's chief information security officer a message. This contained "a file named myheritage containing email addresses and hashed passwords, on a private server outside of MyHeritage."
"Our Information Security Team received the file from the security researcher, reviewed it, and confirmed that its contents originated from MyHeritage and included all the email addresses of users who signed up to MyHeritage up to October 26, 2017, and their hashed passwords," the firm said.
MyHeritage's statement goes on to explain that the company does not store user passwords, only a one-way hash of each password, in which the hash key differs for each customer.
"This means that anyone gaining access to the hashed passwords does not have the actual passwords," the company said, but is urging all users to change their passwords nonetheless for "maximum safety".
No credit card information, nor - thankfully - genetic data appears to have been scooped up in the breach. This data, along with other sensitive information, is stored on a separate system that has "additional layers of security."
MyHeritage has since set up a response team that is investigating the incident and is "taking immediate steps to engage a leading, independent cybersecurity firm" to look into the scope of the breach.
The firm said it's also taking steps to inform relevant authorities, as per GDPR, and is "expediting" its planned rollout of two-factor authentication. µ
Could your next colleague be a bot?
Remove the tech or face the courts, threaten privacy advocates
OK Google... sell me stuff I didn't know I wanted
OxygenOS 5.1.7 also fixes issue related to 'Do Not Disturb' scheduling