MyHeritage explains details of massive hack earlier this year, via an email from the company.
As one of our registered users, we are writing to share important information with you about a security incident which is related to your MyHeritage account, as well as steps we have taken in response to the incident and recommended actions you may wish to take.
On June 4, 2018, at 1 pm EST, we became aware of a data breach involving the email addresses and hashed passwords (these are not actual passwords) of 92.3 million MyHeritage users.
We learned about the breach when MyHeritage’s Chief Information Security Officer received a message from a security researcher, which stated that the researcher had found a file named myheritage containing email addresses and hashed passwords located on a private server outside of MyHeritage. Our Information Security Team received the file from the security researcher, reviewed it, and confirmed that its contents originated from MyHeritage and included all the email addresses of users who signed up to MyHeritage up to October 26, 2017, as well as their hashed passwords. We made a public announcement about the breach within 8 hours of learning about it (https://blog.myheritage.com/
What Information Was Involved?
Accessible information included your email address. The password associated with your account also was accessible but hashed using a cryptographic process, which like other hashing techniques converts plain text into a string of numbers and characters. MyHeritage does not store user passwords, but rather a one-way hash of each password, in which the hash key differs for each customer.
Immediately upon receipt of the file, MyHeritage’s Information Security Team analyzed the file and began an investigation to determine how its contents were obtained and to identify any potential exploitation of the MyHeritage system. We determined that the file was legitimate and included the email addresses and hashed passwords of 92,283,889 users who had signed up to MyHeritage up to, and including, October 26, 2017, which was the date of the breach.
The security researcher reported that no other data related to MyHeritage was found on the private server. There has been no evidence that the data in the file was ever used by the perpetrators. Furthermore, we have not seen any activity indicating that any MyHeritage accounts had been compromised between October 26, 2017 (the date of the breach) and the present.
We believe the intrusion is limited to the user email addresses and hashed passwords. We have no reason to believe that any other MyHeritage systems were compromised. For example, credit card information is not stored on MyHeritage, but only on trusted third-party billing providers (e.g., BlueSnap, PayPal) utilized by MyHeritage. Other types of sensitive data such as family trees and DNA data are stored by MyHeritage on segregated systems, separate from those that store the email addresses, and they include added layers of security. We have no reason to believe those systems have been compromised.
What We Are Doing
Immediately upon learning about the incident, we set up an Information Security Incident Response Team to investigate the incident. We have engaged a leading, independent cybersecurity firm to conduct comprehensive forensic reviews to determine the scope of the intrusion; and to conduct an assessment and provide recommendations on steps that can be taken to help prevent such an incident from occurring in the future.
We have notified relevant authorities as per GDPR.
We set up a 24/7 security customer support team to assist customers who have concerns or questions about the incident.
We expired all passwords on MyHeritage, requiring our users to set a new password. You can read more about this in the follow up announcement we issued on June 5, 2018 (https://blog.myheritage.com/2018/06/cybersecurity-incident-june-5-6-update/).
We added the option of Two-Factor Authentication for user accounts.
What You Can Do
Change your password on MyHeritage.
We have protected your account by expiring your former password and requiring a password reset. Visit the MyHeritage website and log in. You will be prompted to set a new password. If you are not prompted, change your password as described in our FAQ article here: https://www.myheritage.com/how-to-change-your-password. If you are using our mobile app or the Family Tree Builder genealogy software, first change the password on the website and then set the same new password on the mobile app and/or Family Tree Builder.
Changing your password is a prudent and recommended practice. After doing this, you will be safer, because even if someone else has your password, they will not be able to access your MyHeritage account.
We recommend you change your password on every other site where you used the same password. The most secure passwords are those that are difficult to guess and are used on only one website.
Add Two-Factor Authentication (optional).
Two-Factor Authentication is an extra layer of security for your account, designed to ensure that you’re the only person who can access your account, even if someone knows your password. Two-Factor Authentication allows you to authenticate yourself using a mobile phone in addition to a password, which further hardens your MyHeritage account against illegitimate access. For more details, see our blog post (https://blog.myheritage.com/2018/06/new-myheritage-adds-two-factor-authentication-2fa-to-secure-your-account/).
Review Your Account.
Regularly review your account and report any suspicious or unrecognized activity immediately. Be vigilant and report any suspected incidents of fraud to us.
Protect Your Data.
Never confirm or provide personal information such as passwords or account information to anyone contacting you. MyHeritage will never send you any unsolicited emails asking for your password.
For More Information
For more information listing additional steps you may wish to consider taking at any time if you ever suspect that you may have been the victim of identity theft, please go to this page: www.myheritage.com/protecting-your-identity
If you have questions or concerns, you can contact our security customer support team via email on firstname.lastname@example.org or by phone via the toll-free number (USA) +1 888 672 2875, available 24/7 in English. For our customer support phone numbers in other countries, see our Contact Page (https://www.myheritage.com/contact-us) and when calling, pick option 5 in the menu (privacy). If asked by our staff, note that your account ID on MyHeritage is 411953502.
As always, your privacy and the security of your data are our highest priority. We continually assess our procedures and policies and seek new ways to improve our approach to security. We understand the importance of our role as custodians of your information and work every day to earn your trust.
Thank you for your understanding.