On June 4th, 2018, MyHeritage discovered that information about it’s 92 million users had been stolen and published on an external web server. The data was discovered by a security researcher, who immediately provided MyHeritage with the information they found. But what was included in the data, and what do customers need to know?
What data was stolen?
The security researcher discovered email addresses and hashed passwords posted on a private server. The list includes all users who registered with the service prior to October 26, 2017. With these hashes, hackers could attempt to crack the passwords and access the accounts. However, it appears that the hashes were salted, meaning it would be more difficult for these attackers to decrypt them. At this time, MyHeritage does not believe that any other systems were compromised, or that any additional information was stolen.
What should customers do?
MyHeritage customers are urged to change their passwords, as well as their passwords for any other services where they may have used the same email and password combination. They also say that customers can reach out to them at firstname.lastname@example.org, or call them at (USA) +1 888 672 2875, which is available 24/7. Other than these actions, MyHeritage says there is nothing else that users need to do for now, other than evaluating their security practices.
MyHeritage’s plan to move forward
In a statement on their blog, MyHeritage said that they will be incorporating two-factor authorization on user accounts, a step that is becoming more common in combating online account theft. This requires the use of a physical device, such as a mobile phone or authenticator device, to receive a one-time code when logging in. This means that even if an attacker did manage to steal a user’s password, they would still not be able to login without the phone or other physical device used by the user.
For more information about what customers should do, see our recent post “What Should Consumers Do After A Major Breach.”