What happened?

Genealogy and DNA testing service MyHeritage confirmed a recent breach affecting more than 92 million customers. According to reports, email addresses and hashed passwords were impacted by this breach.

The Israeli-based company has nearly 100 million users from all over the world – with offices in North America, Israel and Europe. MyHeritage consists of both genealogy networking and DNA testing services similar to AncestryDNA, 23andMe and Family Tree Now.

A security researcher discovered a file containing email addresses and hashed passwords on a private server not associated with MyHeritage databases, the company said. Password hashing scrambles a user’s true password when it is stored by a company, adding an extra layer of protection to passwords if they fall into the wrong hands.

Company response

While there is a small risk that hashed passwords could still be misused, it’s very unlikely. But as an added precaution, the company will begin to expire all user passwords related to MyHeritage in response to this breach.

MyHeritage has also shared its plans to add two-step authentication, which requires a user to pass additional verification to access user accounts. MyHeritage is also encouraging users to visit the Help Center page for more information about changing emails and passwords.

“Users whose passwords were expired are forced to set a new password and will not be able to access their account and data on MyHeritage until they complete this. This procedure can only be done through an email sent to their account’s email address at MyHeritage. This will make it more difficult for any unauthorized person, even someone who knows the user’s password, to access the account. We plan to complete the process of expiring all the passwords in the next few days, at which point all the affected passwords will no longer be usable to access accounts and data on MyHeritage.”

MyHeritage, June 5-6 Update

What should I do?

If you started using MyHeritage services on or after Oct. 26, 2017, use these tips below to help secure your information immediately following this breach:

  • Address the problem areas. Even if MyHeritage hashes customer passwords, your password may still be at risk if you use it for other online accounts. Update your MyHeritage password and avoid using the same password for multiple accounts.
  • Watch for common post-breach risks. When email addresses are breached, phishing scams and other spam messages often follow. Update your email account password just to be safe and be wary of targeted scam messages meant to capture more sensitive information.
  • Think ahead. MyHeritage’s genealogy services are meant to reconnect long-lost family members. However, family information is often used in security questions and verification processes (i.e. mother’s maiden name, birth place, etc.). This information can also be used by fraudsters to carry out more convincing social engineering scams. Avoid using family-related information in security questions and do an audit of your social media pages for publicly-viewable family information.

Continue following Fighting Identity Crimes for more on this story, other breach and scam updates & ID protection tips from our industry experts.