Security Breach at MyHeritage Compromises 92 Million Account Email Addresses

Question

MyHeritage announced the breach late yesterday, June 4: https://blog.myheritage.com/2018/06/myheritage-statement-about-a-cybersecurity-incident/.

"We determined that the file was legitimate and included the email addresses and hashed passwords of 92,283,889 users who had signed up to MyHeritage up to and including Oct 26, 2017 which is the date of the breach."

It is important to note that there is no reason to believe that any password information has been compromised. The passwords--as with almost all web services--are stored in what's called a "hash" format: essentially, a string of gibberish that can't be reconstituted to a password without a separate, binary "key" file. MyHeritage indicates that no data but email addresses seem to have been compromised:

"We have no reason to believe that any other MyHeritage systems were compromised. As an example, credit card information is not stored on MyHeritage to begin with, but only on trusted third-party billing providers (e.g. BlueSnap, PayPal) utilized by MyHeritage. Other types of sensitive data such as family trees and DNA data are stored by MyHeritage on segregated systems, separate from those that store the email addresses, and they include added layers of security. We have no reason to believe those systems have been compromised."

Still, for maximum safety, MyHeritage is recommending all registered users change their passwords, and use a strong, unique password. Instructions for doing so can be found at this FAQ link.

Comments

Yay...

---

Yeah; the timing is generally not great, either. People got hit by a plethora of GDPR-driven privacy policy updates, website changes, and site closures; the GSK and Parabon situations with GEDmatch have caused people to hide or remove kits, and the media to weigh-in on privacy and security concerns about DNA testing in general; and now this, just scant days later. Not like MyHeritgae could pick and choose the timing. To their credit, it seems they released the statement as soon as they had verification of the incident. Now it's on multiple news websites.

Just an aside, email addresses are always more vulnerable than passwords. That's why I use a different email address on (almost) every website I register. Sounds more daunting than it is. There are a number of services to help with this; the one I use is 33mail.com. To reap the full benefit, there's a small annual fee, but then I can generate email addresses on-the-fly (meaning I don't have to create them; I just use one to register somewhere and the address is created automatically) and any mail sent to that new, unique address forwards back to my regular email address. No muss, no fuss. And if something like this breach happens, I just change the email address on file at MyHeritage, then go to the email service provider and block the compromised address. Once an email address gets out in the wild, it stays there.

---

I can't believe they've really got 92 million users.

---

While the announcement doesn't mention it, MyHeritage also owns and operates the genealogy and family tree website Geni.com. I imagine the only way the compromised email account number is that high is if it includes all of MyHeritage's properties, not just the DNA-testing side.

---

I don't know if they are all users, or they're counting where Geni tried to get you to put in the emails for any living relatives that were added to the tree.

---

I think that user base includes anyone who ever entered a free registration on their website.

---

MyHeritage posted an update today at https://blog.myheritage.com/2018/06/cybersecurity-incident-june-5-6-update/. The post is time-stamped today, but worded as if written yesterday. On the timing, they report they were first notified of the breach at 1:00 p.m. Eastern, and issued the first public announcement eight hours later.

All MyHeritage account passwords are being force-expired in phases over the course of a "few days." This means all their users will be "forced to set a new password and will not be able to access their account and data on MyHeritage until they complete this. This procedure can only be done through an email sent to their account’s email address at MyHeritage."

My confusion over the numbers is now back to RJ's comment. The new update states: "Note that other websites and services owned and operated by MyHeritage, such as Geni.com and Legacy Family Tree, have not been affected by the incident."

They're indicating the 92.3 million accounts--plus 4 million added after the breach on 26 October 2017--were all MyHeritage accounts only. That's a staggeringly large number for only the core MyHeritage website/service. It's difficult for me to grasp that they could have that many.

---

Just FYI - I also just tried to log in, and they did force me to change my password. Couldn't access the site without doing so. Wasn't given a choice to 'do it later'.

Answer 1

It is important to note that there is no reason to believe that any password information has been compromised. The passwords--as with almost all web services--are stored in what's called a "hash" format: essentially, a string of gibberish that can't be reconstituted to a password without a separate, binary "key" file. 

This (and the blog post) is perhaps an unintentionally deceptive statement as the information provided does not actually indicate that these hashes are reasonably secure. Various websites report the actual security of them differently based on that blog post as it appears that they're using fuzzy language that may "suggest" one thing, but which may not be true.  

The missing pieces of information that would explicitly indicate that the passwords are reasonably secure comes in two parts. The first is salt:

In cryptography, a salt is random data that is used as an additional input to a one-way function that "hashes" data, a password or passphrase. [...] The primary function of salts is to defend against dictionary attacks or against its hashed equivalent, a pre-computed rainbow table attack.

Password cracking is the process of taking that "string of gibberish" and mapping it back to the original input password. This process is easy without salt because those employing cracking rely on prepared lists that can immediately identify what the input password was. 

The second piece of information would be the use of a computationally intensive algorithm such as bcrypt:

a function known as bcrypt, which by design consumes vast amounts of computing power and memory when converting plaintext messages into hashes.

[Ars Technica]

Using bcrypt simply takes more time to go through password-by-password. 

For a much better explanation of the process of password cracking, there are a few articles worth reading on Ars Technica:

• Anatomy of a hack: How crackers ransack passwords like “qeadzcwrsfxv1331”. https://arstechnica.com/information-technology/2013/05/how-crackers-make-minced-meat-out-of-your-passwords/
• Lessons learned from cracking 4,000 Ashley Madison passwords. https://arstechnica.com/information-technology/2015/08/cracking-all-hacked-ashley-madison-passwords-could-take-a-lifetime/

I hope that MyHeritage will explicitly clarify their password security practices. 

---

To add one more point, the timing of this disclosure should not be viewed as being "oh, they're being good about it", as another user here suggested:

To their credit, it seems they released the statement as soon as they had verification of the incident.

Yes and no. This may be the first major post-GDPR data breech. But it's the GDPR legally mandating that they notify customers within 72 hours of discovering the breech:

• Notification of a personal data breach to the supervisory authority. https://gdpr-info.eu/art-33-gdpr/

Comments

The date of the breach was October 2017 and they are only just discovering this breach now - in June? That was 9 months ago!!!  They don't seem to be very vigilant!!!

I wonder if this had anything to do with their purchase of the Legacy family tree software company - because that happened in August 2017 - and Legacy have thousands of clients.

I am a longtime client of Legacy (Since 2001)  and a more recent client of My Heritage. This does not make me feel safe!!

---

They only found out about the breech today, and it was purely by notice from a security researcher who is not affiliated with the company. For them to have noticed earlier would have meant observing the intrusion as it happened; that rarely happens, contrary to what movies might tell us. This is not about a lack of vigilance on the part of MyHeritage. 

The long delay between breech and discovery is typical. This isn't like having someone break into a house and steal a painting; it's someone breaking in, taking a photo of the painting, and leaving without a trace. There's no obvious missing property to tell you that you've been robbed. 

The best course of action for MyHeritage is (1) to focus on making their site as secure as possible, not going fishing in the dark corners of the web to try to find copies of data that might have been taken; (2) to assist their customers in understanding how this may impact them by communicating clearly about any issues related to the breech; (3) to help their customers make good security choices by offering password advice and two-factor authentication to those who feel it necessary.

Answer 2

There is an article onBrian Krebs security blog

https://krebsonsecurity.com/2018/06/researcher-finds-credentials-for-92-million-users-of-dna-testing-firm-myheritage/

Answer 3

My Heritage is recommending that users change their passwords.

This is very good advice (although a little late) HOWEVER, if you do decide to change your password, do it from the site, rather than a link in an email.

The perps have your email, but don't have your password. Its very easy to send you an email, purporting to be from My Heritage, with a link to the password change page. This page will look like My Heritage, and feel like it. But as soon as you change your password, the perps have it. OK They will update My Heritage, so you will not realise there is anything is amiss.

Why do they want your My Heritage password?.  They don't. But many people use the same password on multiple sites (or email servers) and that is what they want.

Be careful out there.

Comments

Indeed, email addresses can be valuable for "bad people." I logged in to MyHeritage to change my password, and I got this message:

Your password has expired. You must set a new password in order to log in. An email with instructions for setting a new password was sent to you at [your address].

Answer 4

Some Advice:

1. Change your password now. Not just on MyHeritage, but on WikiTree, Ancestry, Geni, and any other site where you have stored family tree information which includes information about any living person, including yourself.
   • Why? Genealogy sites contain information, like birthdates, mother's maiden name, etc., which banks and other sites still insist on using in "security questions"¹ before allowing you to reset your your password if you've forgotten it. You may not think of your family tree data as being as "sensitive" as your banking information, but one can be the key to the other. 
2. If you have used the same email address that you used on MyHeritage on any other web site, no matter how obscure, change your password on that other site, too.
   • Why? Hackers will be trying username and password combinations on other sites, just to see if they can get in. For a few weeks or months after every major password theft like this, there's a steady string of reports of people's accounts on completely unrelated sites being hacked, because they used the same password. Security professionals have a name for people who re-use the same password on multiple sites, but I don't think you want to hear it.
3. Use a strong password. The stronger your password is, the longer it will take to crack it. These days, 16 characters is probably just about the minimum length for a strong password. Also, don't bother doing things like replacing letters with look-alike characters (like replacing "a" with "@", or "o" with "0"): there are software libraries designed to defeat simple obfuscation like that, so doing that adds almost nothing to the strength of your password. The best passwords are randomly-generated alphanumeric strings like "S!i64@3lN=@lk+*3", which you're not likely to be able to remember unless you're a total security geek, so use a password manager to keep track of them.
   • Hint: "mom" is not a strong password, even if you type it in backwards.

Coverage:

• Krebs, Brian, "Researcher Finds Credentials for 92 Million Users of DNA Testing Firm MyHeritage." Krebs on Security, June 5, 2018.
• Holt, Chris, "MyHeritage admits 92 million user email addresses were leaked." Engadget, June 5, 2018.
• Mole, Beth, "92 million MyHeritage users had their data quietly swiped."² Ars Technica, June 5, 2018.
• Afifi-Sabet, Keumars, "MyHeritage suffers massive data leak affecting 92m users." IT Pro, June 6, 2018.
• Zorz, Zeljka, "MyHeritage suffers data breach, account details of 92+ million users compromised." HelpNet Security, June 6, 2018.

Notes:

1. Yes, security geeks having been telling banks and other web sites not to use information which is as easily discovered as that for years, but until they start to get sued in large numbers (and losing the cases), they're not going to change. Dumb security questions are quick and easy to implement, so for a lot of companies, that's all that matters.
2. Being an incorrigible punster, I love the header on this one: "Relatively Troubling". ;-)

Comments

I think this is a cop-out since their sister site got caught sending email announcements to non members this week. They got hacked by their own company! Or got caught selling info elsewhere and covered it up by saying they got hacked and sending out a few emails in “error”. No way does this type of thing just  happen by accident. Also this gives them an excuse if someone finds that they sold all our info without informing us. Whoops! Not our fault!

 I personally got an email this week from geni about a very close relative’s upcoming bday. It so happens that I have had no contact with that person for over 20 yrs, and for  good reason! It was extremely upsetting, to say the least! I have NEVER had a geni account, but did find out that they merged with myheritage a few years ago where I have a free account. Well, I emailed just about every place I could to complain! Never got a response but it looks  like I was not alone in my outrage!

After deleting the app and looking at myheritage on my laptop I found that they freely give out  info on search engines  about people who are still alive, but are hidden on the site, so I deleted my live relatives and will slowly delete the entire tree soon. It is not that large but I had wanted it in place for any relatives that might use their DNA service. /rant