MyHeritage data breach exposes info of more than 92 million users
Authored by a Symantec employee
If you use MyHeritage for testing your DNA and tracking your ancestry, you may need to change your password. That's the company's guidance following a data breach that exposed email addresses and encrypted passwords for more than 92 million users.
What happened in the MyHeritage breach
MyHeritage said a security researcher notified the company on June 4, 2018, of a file found on a private server outside of the company. After analyzing the file, a MyHeritage security team determined that its contents originated from the company and included the email addresses and hashed passwords of 92,283,889 users.
MyHeritage said the information exposed involved users who had signed up for the service through October 26, 2017, the date of the breach.
The security researcher reported finding no other data related to the company on the server where the file was found. And MyHeritage says there's been no evidence that the perpetrators have used the data in the file.
MyHeritage said it has no reason to believe that the breach compromised any of its other systems. The company notes that it stores information such as family trees and DNA data on segregated systems - separate from those that store the email addresses - that include added layers of security. The company also says it doesn't store credit card information.
MyHeritage reports it's further investigating the breach and engaging an independent cyber security company to assist. That firm will help determine the scope of the intrusion and recommend steps to help prevent such incidents.
What MyHeritage users should do now
If you use MyHeritage, the company recommends that you change your password. Instructions are available on the company's help center. The company says it is also expiring all user passwords on its site, a process that will take a few days. This includes user accounts affected by the breach, as well as the four million additional accounts added since October 26, 2017.
Users who have questions can also contact the company's customer support team via email at email@example.com or by phone via the toll-free number (USA) +1 888 672 2875, available around the clock.
The company says that its other websites and services, such as Geni.com and Legacy Family Tree, were not affected by the incident.
This breach is a reminder that different organizations with whom you do business store your information in many different places that are beyond your control. As a result, you should always be mindful of security. Use unique passwords on each of your accounts - and make sure they're strong.
It also makes sense to monitor the news for reports of data breaches and other cyber security incidents that may affect your personal information. You may also want to consider an identity theft protection service, such as Norton with LifeLock, that helps protect you against identity theft and works to restore your identity if you become a victim.
Symantec Corporation, the world’s leading cyber security company, allows organizations, governments, and people to secure their most important data wherever it lives. More than 50 million people and families rely on Symantec’s Norton and LifeLock comprehensive digital safety platform to help protect their personal information, devices, home networks, and identities.
Copyright © 2019 Symantec Corporation. All rights reserved. Symantec, the Symantec Logo, the Checkmark Logo, Norton, Norton by Symantec, LifeLock, and the LockMan Logo are trademarks or registered trademarks of Symantec Corporation or its affiliates in the United States and other countries. Firefox is a trademark of Mozilla Foundation. Android, Google Chrome, Google Play and the Google Play logo are trademarks of Google, LLC. Mac, iPhone, iPad, Apple and the Apple logo are trademarks of Apple Inc., registered in the U.S. and other countries. App Store is a service mark of Apple Inc. Microsoft and the Windows logo are trademarks of Microsoft Corporation in the United States and/or other countries. The Android robot is reproduced or modified from work created and shared by Google and used according to terms described in the Creative Commons 3.0 Attribution License. Other names may be trademarks of their respective owners.