Cybersecurity Incident: June 5-6 Update

Yesterday we reported a cybersecurity incident affecting MyHeritage, in which the email addresses and hashed passwords of 92.3 million MyHeritage users were leaked to a private server outside of MyHeritage.

Our Information Security Incident Response Team is still investigating this incident, and we do not yet have an update regarding the source of the leak. We have not encountered abuse of any accounts on MyHeritage, or evidence that the leaked information was used by malicious actors.

The incident was reported to us by a security researcher yesterday, June 4 2018, at about 1pm EST, which is 8pm at our HQ in Israel. We assembled our people to investigate the incident,  gathered sufficient details to announce it publicly and did so within 8 hours of learning about it.

From the moment this became known to us we have been working literally around the clock, taking additional steps to help protect our users and wanted to update you on our progress in this area so far, one day after our initial report.

Although no passwords leaked but only hashed versions of the passwords, we encouraged our users to change their password, and many already did so. However, to maximize the security of our users, we have started the process of expiring ALL user passwords on MyHeritage. This process will take place over the next few days. It will include all 92.3 million affected user accounts plus all 4 million additional accounts that have signed up to MyHeritage after the breach date of October 26, 2017. As of now, we’ve already expired the passwords of more than half of the user accounts on MyHeritage. Users whose passwords were expired are forced to set a new password and will not be able to access their account and data on MyHeritage until they complete this. This procedure can only be done through an email sent to their account’s email address at MyHeritage. This will make it more difficult for any unauthorized person, even someone who knows the user’s password, to access the account. We plan to complete the process of expiring all the passwords in the next few days, at which point all the affected passwords will no longer be usable to access accounts and data on MyHeritage. Note that other websites and services owned and operated by MyHeritage, such as Geni.com and Legacy Family Tree, have not been affected by the incident.

As stated, we are expediting the work on adding two-factor authentication to MyHeritage and will update when that is live, as it is strongly recommended to use it once available to increase security.

Users who are experiencing difficulty in changing their password or have other questions or concerns should contact our security customer support team via email on privacy@myheritage.com or by phone via the toll-free helpline phone number (USA) +1 888 672 2875, available 24/7.

We believe the intrusion is limited to the user email addresses. We have no reason to believe that any other MyHeritage systems were compromised. As an example, credit card information is not stored on MyHeritage to begin with, but only on trusted third-party billing providers utilized by MyHeritage. Other types of sensitive data such as family trees and DNA data are stored by MyHeritage on segregated systems, separate from those that store the email addresses, and they include added layers of security. We have no reason to believe those systems have been compromised.

We have completed the GDPR reporting process to the authorities.

We are getting ready to announce the breach to the users, individually, via email, a process that will take some time due to the large number of affected users.

Again, it’s important for us to stress that your privacy and the security of your data are and will always remain our highest priority. We will continue to keep you informed and updated of our actions over the coming days.

Thank you for your understanding.

The MyHeritage team

Contact
Omer Deutsch
Chief Information Security Officer, MyHeritage
Email: dpo@myheritage.com