Cybersecurity Incident: June 10 Update

This is an update regarding the data breach that affected MyHeritage, which we first reported on June 4, and further updated about here. In the breach, a file with email addresses and hashed passwords (these are not actual passwords) of 92.3 million users of MyHeritage was found by a security researcher on a private server on the Internet, who reported it to MyHeritage’s CISO (Chief Information Security Officer). MyHeritage immediately reported the breach and took measures to address the situation, outlined in the blog post links above and further explained in this update.

As of June 7, we started emailing our users, individually, to let them know about the incident and ask them to change their password on MyHeritage, just to be on the safe side. We also recommend that anyone who uses the same password across multiple websites (this is a bad practice), should change their password on those sites as well. That’s a common security precaution; it is safer to have a unique password on every service you use.

In the email to our users, we also recommend enabling Two-Factor Authentication. This is an important layer for securing accounts on MyHeritage, which we released on June 6. When enabled, it can secure your account against unauthorized access even if someone else knows your password. With Two-Factor Authentication, you designate a mobile phone and link it to your account by providing MyHeritage with its number. Then, any time you log in to MyHeritage from a new computer, tablet or phone, or if a month has passed since your last login, MyHeritage sends a six-digit verification code as a text (SMS) message to your mobile phone and you need to enter it on MyHeritage to complete the login successfully. For more details, and for instructions for enabling it, see our announcement. Thousands of our users have already enabled Two-Factor Authentication and are enjoying its protection for their accounts and we hope that more will join them soon.

As we are emailing a very large number of users about the incident, this will take some time. If you are a user of MyHeritage and did not receive the email yet, please be patient, you will receive it soon.

On June 5, we began expiring all passwords on MyHeritage and we have now completed this. Anyone logging on to MyHeritage with an expired password will be required to set a new password, a process that includes an email sent to the user’s email address on file, to ensure that even if the former password was compromised, nobody except the user will be able to set a new password and regain access to the account.

We are taking additional steps to further harden the security of accounts on MyHeritage. These steps may cause some inconvenience to our users. For example, users who have been logged on to the website for a long period, and have never logged out and logged back in, will find that they have to set a new password, and to log in more frequently. The extra security is worth the inconvenience.

As a reminder, MyHeritage users who have questions or concerns about this incident are welcome to contact our security customer support team via email on privacy@myheritage.com or by phone via the toll-free number (USA) +1 888 672 2875, available 24/7. We have recruited 40 additional full-time support members who will join our 24/7 support team tomorrow, to help us cope with the increased customer support needs of this incident. We anticipate that there will be longer waiting times on the phone lines. If you call and find yourself in a long queue, please leave us voice mail and we’ll call you back as soon as possible. The majority of the users who contacted support so far have been very sympathetic to our efforts to recover from the breach and have mostly requested assistance with the processes of setting a new password or adding Two-Factor Authentication — assistance that we are very happy to provide.

Summary
We’re sorry for the breach. It is bad news. But there has been no evidence that anything has leaked beyond email addresses and the hashed passwords, which are not actual passwords, and no evidence of any unauthorized access to user accounts and data on MyHeritage. DNA data is protected by additional layers of security and does not reside on the same system that stores user credentials. A user can download their own DNA data, but the procedure for that requires not just password entry but also authorization through the user’s mailbox, so it cannot be done even by someone who knows your password. Our internal statistics showed no increase in DNA data downloads throughout the past year. The former passwords have been expired and can no longer be used to access accounts. Two-Factor Authentication is now available to further secure your account. This is not available on any of the other major DNA and genealogy websites.

In summary, we hope that these measures will further demonstrate to our users our commitment to the privacy and security of their data, and we are confident that this incident will drive MyHeritage to become more secure than ever.

We thank our users for their trust and will continue to keep you apprised of the situation.

The MyHeritage team