According to the notice, a security researcher notified MyHeritage on June 4 after discovering a file containing user log-in and hashed password information on a private server not owned by the genealogy site.
The site’s security reviewed the file and confirmed it contents. The file contained the email addresses and hashed password of all users who signed up to use the site since Oct. 26, 2017 -- the date the breach occurred.
Upon discovery, MyHeritage launched an investigation to determine how the file was obtained, as well as whether there were other breaches of the site. While the file was determined to be legitimate, the impact should be minimal as the file only contained login information.
It’s notable that MyHeritage does not store user passwords, just the hash key that differs for each customer. Not only that, but the site doesn’t store credit card information and sensitive data like DNA and family tree information are on segmented systems.
Segmentation is crucial to ensure that if a breach occurs, the impact is contained to the impacted database, file or system.
The researcher also told MyHeritage that he or she did not find any other data related to the site, and there’s no evidence the file was ever used by the hacker. Officials also stress that they’ve not seen any suspicious activity that would indicate any breach of customer accounts.
Also adding to MyHeritage’s successful breach handling is the turnaround of notification. Officials did not hesitate to tell its customers, despite the ongoing investigation. Currently, officials said they are working with an independent cybersecurity firm to determine the scope of the intrusion and assess its system.
MyHeritage is also taking steps to inform EU authorities to comply with GDPR.
“We will be expediting our work on the upcoming two-factor authentication feature that we will make available to all MyHeritage users soon,” officials said in a statement. “This will allow users interested in taking advantage of it, to authenticate themselves using a mobile device in addition to a password, which will further harden their MyHeritage accounts against illegitimate access.”
All users have been instructed to change their login information, while waiting for the new two-factor authentication feature.
“However, we always recommend that you take the time to evaluate your security practices,” said officials. “Please, avoid using the same password for multiple services or websites. It’s good practice to use stronger passwords and to change them often.”