MyHeritage breach exposes 92M emails and hashed passwords

A data breach has exposed 92 million accounts on DNA testing and genealogy website MyHeritage, the company said on Tuesday.

The breach was discovered by a security researcher who notified MyHeritage on Tuesday that a trove of email addresses and hashed passwords were sitting on a private server somewhere outside of the company. Because the passwords were hashed, the actual passwords were not exposed - hackers only got access to a scrambled string of text compiled by crytogaphic algorithms.

MyHeritage said that the hashing is one-way, meaning that it is almost impossible to turn the hashed password back into the original. And each hash key, which could be used to revert the hashed passwords back, differs for each user.

The Israeli-based MyHeritage lets people send in swabs of DNA to uncover their ethnic origins and family history.

The 92,283,889 million accounts present on the server included users who signed up for the service up until Oct. 26, 2017, the date MyHeritage believes the breach occurred. The company said it does not have evidence that any information was actually used by those responsible for the breach.

There has been no evidence that the data in the file was ever used by the perpetrators, the company said. Since Oct. 26, 2017 (the date of the breach) and the present we have not seen any activity indicating that any MyHeritage accounts had been compromised.

More sensitive information, such as credit card information, family trees, and DNA data, are stored in a different place than email addresses and passwords, and MyHeritage believes that information was never compromised.

In response to the incident, MyHeritage said it is rolling out two-factor authentication.