The following was received from MyHeritage today. I blogged about their security incident a few days ago.
On Monday, June 4, we released a statement regarding a cybersecurity incident. Earlier that same day, at approximately 1 p.m. EST, MyHeritage’s Chief Information Security Officer received a message from a security researcher that he had found a file containing email addresses and hashed passwords, on a private server outside of MyHeritage. Our Information Security Team received the file from the security researcher, reviewed it, and confirmed that its contents originated from MyHeritage and included 92.3 million email addresses of users who signed up to MyHeritage up to and including October 26, 2017 (the date of the breach), and their hashed passwords. MyHeritage does not store user passwords, but rather a one-way hash of each password, in which the hash key differs for each customer. This means that anyone gaining access to the hashed passwords does not have the actual passwords.The security researcher reported that no other data related to MyHeritage was found on the private server.
We have no reason to believe that any other information was compromised, such as the actual user passwords, credit card details, family tree data or DNA data. Credit card details are only stored on trusted third-party billing providers, while other types of sensitive data are stored by MyHeritage on segregated systems, separate from those that store the email addresses, and they include added layers of security.
We took several immediate steps, including establishing an Information Security Incident Response Team to investigate the incident, notifying relevant authorities, setting up a special customer support team, expiring all user passwords and forcing users to reset their password upon next login, and expediting our work on the upcoming Two-Factor Authentication (2FA) feature to further protect MyHeritage accounts.
Two-Factor Authentication had been scheduled to be added to MyHeritage accounts in the July-August timeframe but following the breach and our June 4th promise to expedite its development, we worked around the clock and are glad to announce today that we have completed the development and have released its initial implementation to all users of MyHeritage.
In MyHeritage’s first release of 2FA, you designate a mobile phone and link it to your account by providing MyHeritage with its number. Then, any time you will log in to MyHeritage from a new computer, tablet or phone, or if a month has passed since your last login, MyHeritage will send you a six-digit verification code as a text (SMS) message to your mobile phone and you will need to enter it on MyHeritage to complete the login successfully.
The privacy and the security of our users’ data on MyHeritage is our highest priority. The implementation of the Two-Factor Authentication, MyHeritage being among the first in the genealogy and DNA industry to provide users with this added layer of security, is a testament to this commitment.
Please find more information in this blog post:
https://blog.myheritage.com/2018/06/new-myheritage-adds-two-factor-authentication-2fa-to-secure-your-account
