June 7, 2018
On June 4, the chief information security officer of MyHeritage—an online genealogy platform— received a message from a security researcher that he had found a file named “myheritage” containing email addresses and hashed passwords on a private server outside of the company. The contents of the file included all the email addresses of users who signed up to MyHeritage up to October 26, 2017, and their hashed passwords.
The breach involved a significant number of people—more than 92 million users. Indeed, over the past 15 years—and through the more than six months since the breach—MyHeritage claims to have signed up 96 million users worldwide and to have provided 9 billion historical records.
MyHeritage does not store user passwords, but rather a one-way hash of each password, in which the hash key differs for each customer. This means that anyone gaining access to the hashed passwords does not have the actual passwords.
The security researcher reported that no other data related to MyHeritage was found on the private server—and that there is no evidence that the data in the file ever has been used by the perpetrators. “Since Oct 26, 2017 (the date of the breach) and the present we have not seen any activity indicating that any MyHeritage accounts had been compromised,” the company said.
“We believe the intrusion is limited to the user email addresses,” MyHeritage added. “We have no reason to believe that any other MyHeritage systems were compromised. As an example, credit card information is not stored on MyHeritage to begin with, but only on trusted third-party billing providers […used] by MyHeritage. Other types of sensitive data, such as family trees and DNA data, are stored by MyHeritage on segregated systems, separate from those that store the email addresses, and they include added layers of security. We have no reason to believe those systems have been compromised.”
Immediately upon learning about the incident, the company set up a 24/7 Information Security Incident Response Team to investigate the breach and to respond to customer questions at firstname.lastname@example.org or toll-free via +1-888-672-2875.
Management also is taking immediate steps to engage a leading, independent cybersecurity firm to conduct comprehensive forensic reviews to determine the scope of the intrusion; and to conduct an assessment and provide recommendations on steps that can be taken to help prevent such an incident from occurring in the future, the company said. In addition, management is taking steps to inform relevant authorities
The company also has expedited completion of an upcoming two-factor authentication feature that will be made available to all MyHeritage users soon. “This will allow users interested in taking advantage of it, to authenticate themselves using a mobile device in addition to a password, which will further harden their MyHeritage accounts against illegitimate access,” management said.
All registered users of MyHeritageare advised to change their passwords. The procedure for doing so is described in the MyHeritage FAQ article.
The number of people using DNA testing and contacting genealogy sites is rising fast worldwide. In an NPR-Truven Health Analytics Health Poll more than 3,000 households released on June 1, 29% of respondents said that they or their family members had considered getting a genetic test, a 5-percentage-point increase from 2016 (although the uptick wasn’t statistically significant, according to Truven Health, a unit of IBM Watson Health).
The people most interested in the idea are under the age of 35. The poll found that 43% of respondents in this age group said they had considered genetic testing, a 10-percentage-point increase from 2016.
The proportion of interested people who said they or a family member had ever ordered a direct-to-consumer test was 32%. When respondents were asked why they had gotten a direct-to-consumer genetic test, the most common response (30%) was ancestry or genealogy. Among those age 65 and older, 74% said ancestry or genealogy was the reason. Conversely, of respondents who had obtained such a test through a doctor, 31% said their reason was to help with a diagnosis.
“We have had this big push toward precision medicine and personalized medicine happening, but there’s still quite a bit of confusion about what it means to have a genetic test,” said Dr. Anil Jain, vice president and chief health information officer at IBM Watson Health. “Strikingly, the most common reason to get a genetic test is genealogy or ancestry.”
Doctors now check genetic markers for patients going on expensive medications, he said. There are also genetic tests related to how a person’s body processes drugs that doctors can use to adjust doses for medicines like blood thinners. In cancer, DNA testing of tumors is commonplace.
“Patient may not see it as a genetic test,” Jain said. “In many ways the survey reflects the state of affairs in the play between precision medicine … and the fact that there is consumer-facing genetic testing … powered by Ancestry.com and 23andMe.”
Interestingly enough, considering the recent breach at My Heritage, about half (47%) of respondents who had ordered a test or whose family member had undergone one said they had privacy concerns. A solid majority were willing to share genetic test information with doctors, relatives and health care researchers. A minority (39%) were willing to share the information with employers.
Research contact: email@example.com