92 million MyHeritage email addresses found on private server

In a disclosure notice, MyHeritage said 92 million email addresses and hashed passwords were discovered on a private server. Is this the first post-GDPR data breach?

MyHeritage HQ
MyHeritage

On Monday, MyHeritage, an online genealogy platform, announced that more than 90 million of their users had email addresses and hashed passwords compromised, after a researcher discovered a file being hosted on a private server.

MyHeritage confirmed that the contents of the file originated from the company.

In addition, based on the wording of the disclosure, the company determined the compromised data included email addresses and hashed passwords for everyone who signed up for the service from 2003 until October 26, 2017.

"We determined that the file was legitimate and included the email addresses and hashed passwords of 92,283,889 users who had signed up to MyHeritage up to and including Oct 26, 2017 which is the date of the breach. MyHeritage does not store user passwords, but rather a one-way hash of each password, in which the hash key differs for each customer. This means that anyone gaining access to the hashed passwords does not have the actual passwords," the company explained in a blog post.

While the other systems, such as those that manage payments, genealogy, and DNA were not compromised, the company has hired an outside firm to determine the full scope of the breach.

Also, following GDPR requirements, MyHeritage alerted the public to the incident the same day they were told about it, and said they're taking steps to inform relevant authorities.

Loose Ends:

It isn't clear how MyHeritage hashed the user passwords, but the company recommended that everyone change their passwords on the website. They've also promised to implement two-factor authentication as soon as possible.

Moreover, the company didn't explain how the massive collection of data left their servers and ended-up on a private one out of their control; and there is no way to tell how long that file existed or who had access to it before the researcher discovered and reported it.

Even without the passwords, criminals now have a list of people to target who they know are MyHeritage users.

Using GDPR as a pretext, or the notification itself, that’s a potential victim pool of 90 million users, translating to 900,000 victims if just one-percent of them are successfully victimized.

Update:

We asked AsTech Consulting, who has spoken to Salted Hash in the past about GDPR for their take on the disclosure as it pertains to the newest compliance measure. For the most part, it looks as if MyHeritage is following the book.

"In terms of their response and how it pertains to GDPR, it appears that they're doing most of what they need to do correctly. There's been an announcement. They're contacting the relevant authorities. They're bringing in an outside firm to conduct a forensic investigation to determine the cause of the breach and to repair whatever allowed it to take place. They're implementing two-factor authentication for their users. Finally, they've provided contact information for users to reach out regarding any concerns or requests related to their personal data," explained Nathan Wenzler, chief security strategist at AsTech.

"Additionally, if the specific information that was found is all that was found (email addresses and hashed passwords), then it's possible that GDPR may not even come into play beyond the data breach reporting requirements, if at all, as the email address alone may not qualify as directly identifying a 'natural person', per the definition of personal data in Article 4. However, if it was determined to qualify as personal data in this case, then it seems that the initial steps MyHeritage is taking are correct and appear to be in alignment with GDPR requirements."

NEW! Download the Winter 2018 issue of Security Smart