Cybersecurity Incident: June 5-6 Update

Comments56

Yesterday we reported a cybersecurity incident affecting MyHeritage, in which the email addresses and hashed passwords of 92.3 million MyHeritage users were leaked to a private server outside of MyHeritage.

Our Information Security Incident Response Team is still investigating this incident, and we do not yet have an update regarding the source of the leak. We have not encountered abuse of any accounts on MyHeritage, or evidence that the leaked information was used by malicious actors.

The incident was reported to us by a security researcher yesterday, June 4 2018, at about 1pm EST, which is 8pm at our HQ in Israel. We assembled our people to investigate the incident,  gathered sufficient details to announce it publicly and did so within 8 hours of learning about it.

From the moment this became known to us we have been working literally around the clock, taking additional steps to help protect our users and wanted to update you on our progress in this area so far, one day after our initial report.

Although no passwords leaked but only hashed versions of the passwords, we encouraged our users to change their password, and many already did so. However, to maximize the security of our users, we have started the process of expiring ALL user passwords on MyHeritage. This process will take place over the next few days. It will include all 92.3 million affected user accounts plus all 4 million additional accounts that have signed up to MyHeritage after the breach date of October 26, 2017. As of now, we’ve already expired the passwords of more than half of the user accounts on MyHeritage. Users whose passwords were expired are forced to set a new password and will not be able to access their account and data on MyHeritage until they complete this. This procedure can only be done through an email sent to their account’s email address at MyHeritage. This will make it more difficult for any unauthorized person, even someone who knows the user’s password, to access the account. We plan to complete the process of expiring all the passwords in the next few days, at which point all the affected passwords will no longer be usable to access accounts and data on MyHeritage. Note that other websites and services owned and operated by MyHeritage, such as Geni.com and Legacy Family Tree, have not been affected by the incident.

As stated, we are expediting the work on adding two-factor authentication to MyHeritage and will update when that is live, as it is strongly recommended to use it once available to increase security.

Users who are experiencing difficulty in changing their password or have other questions or concerns should contact our security customer support team via email on privacy@myheritage.com or by phone via the toll-free helpline phone number (USA) +1 888 672 2875, available 24/7.

We believe the intrusion is limited to the user email addresses. We have no reason to believe that any other MyHeritage systems were compromised. As an example, credit card information is not stored on MyHeritage to begin with, but only on trusted third-party billing providers utilized by MyHeritage. Other types of sensitive data such as family trees and DNA data are stored by MyHeritage on segregated systems, separate from those that store the email addresses, and they include added layers of security. We have no reason to believe those systems have been compromised.

We have completed the GDPR reporting process to the authorities.

We are getting ready to announce the breach to the users, individually, via email, a process that will take some time due to the large number of affected users.

Again, it’s important for us to stress that your privacy and the security of your data are and will always remain our highest priority. We will continue to keep you informed and updated of our actions over the coming days.

Thank you for your understanding.

The MyHeritage team

Contact
Omer Deutsch
Chief Information Security Officer, MyHeritage
Email: dpo@myheritage.com

Leave a comment

The email address is kept private and will not be shown

  • Keith White


    June 8, 2018

    Thank You for being so diligent in this matter

  • Smile


    June 8, 2018

    Thanks a lot for the article post.Much thanks again. Fantastic.

  • NatalieTanner


    June 8, 2018

    Thanksa lot for the post.Really thank you! Much obliged.

  • Fran fairfield


    June 9, 2018

    Thank you for informing those affected and for taking emmediat corrective measures . Think my husband has an account with you.

  • Dadang victory


    June 10, 2018

    Okay.. i change my password.

    Thank you.

    Dadang victory

  • Bobbi


    June 10, 2018

    So did I!

  • D S Brown


    June 11, 2018

    Thank you for the notification.

  • Beryl Briggs


    June 11, 2018

    Thank you.

  • John Rew


    June 11, 2018

    Thank you for letting us know, how and when should I change My password.

    • Esther


      June 11, 2018

      Hi John,

      We have begun expiring all passwords on MyHeritage, so anyone logging on to MyHeritage with an expired password will be required to set a new password. When you are prompted to do this, you will get an email sent to your email address on file with a link to set a new password and regain access to the account.

      Best, Esther / MyHeritage Team

  • Linda whiting


    June 11, 2018

    Thanks

  • Myra


    June 11, 2018

    Thank you

  • Patricia Collins


    June 11, 2018

    I will change my password

  • William B Baker


    June 11, 2018

    Thank you so much for the concern

  • guido pizzella


    June 11, 2018

    ok i change my password

  • sandra van boeyen


    June 12, 2018

    THANK YOU WILL CHANGE PASSWORD

  • vern


    June 12, 2018

    Thank you for alerting me.

  • Petrus Johannes van Staden


    June 12, 2018

    Thank you so much for the excellent service you render.

  • Mary Nolan


    June 12, 2018

    Thanks for your post

  • Peter Robinson


    June 12, 2018

    thank you for your clarity

  • Carolyn Warren


    June 12, 2018

    Thanks will change my password.

  • AndrewDzh


    June 12, 2018

    Thank You

  • Linda


    June 12, 2018

    Thank you your quick and diligent action in correcting this situation and keeping us informed.

  • Dollie


    June 12, 2018

    Thanks so very much for letting people know. I hope that y’all have a bless day. I have sole trust in y’all. Thanks again.

  • Roslaine Gouveia


    June 12, 2018

    Thanks for take care of us.

  • Tui Murray


    June 12, 2018

    thanx 4 the email shell get on2 it right away

  • Hendrik J Diedericks


    June 13, 2018

    Sorry for the problems if its possible I still want to use it

  • sylvia hankins


    June 13, 2018

    thank you so much in informing me

  • Jaroslav Urban


    June 13, 2018

    Thank you

  • Past Sikorski


    June 13, 2018

    I appreciate your quick action and thank you.

  • Heather Smith


    June 13, 2018

    Thanks for letting me know, I’ll change my password.

  • Barbara Forsyth


    June 13, 2018

    Thank you

  • jean boudreau


    June 14, 2018

    thank you

  • Margaret Chapman


    June 14, 2018

    Thankyou for letting me know

  • Patrick Sellar


    June 14, 2018

    Thank you

  • Mavis Marshment


    June 14, 2018

    Thank you for letting me know, I will change my password as soon as possible.

  • Marlene A Strudwick


    June 14, 2018

    Thank you for all your care and attention.

  • marvyn crone


    June 15, 2018

    Thanks for your promptness and transparency

  • Shella fox


    June 15, 2018

    Thank you

  • Tom Gunsell


    June 15, 2018

    Ok

  • Gergely Lajosné


    June 15, 2018

    Thank you!

  • Daniel Soiday


    June 15, 2018

    thank you

  • Susan Downey


    June 15, 2018

    Thank you taking the time to correct this particular issue.

  • Susan Downey


    June 15, 2018

    Thank you for taking the care to solve this issue

  • Cathy Kauffman


    June 15, 2018

    Thank you for expeditious action.

  • Алёна Змысля


    June 15, 2018

    Большое спасибо за вашу заботу о нашей безопасности)))

  • William C. Bill Hamilton


    June 15, 2018

    Many thanks. Your work will far exceed mine. I wish you the best. WCH

  • Graham Lindemann


    June 16, 2018

    Thank you heritage for that information

  • Michael Wilkinson


    June 16, 2018

    thank for moving so fast on this

  • Patricia Barnicott


    June 16, 2018

    Thanks for letting me know. I didn’t hear or know about this. I will try to change my password as requested.

  • Linda M Campillo


    June 16, 2018

    Thank you for this important information.

  • jaragon813@gmail.com


    June 16, 2018

    Thank you for keeping me updated

  • Candice Percival


    June 17, 2018

    Thank you for taking care of this matter

  • Rudolf Burkert


    June 17, 2018

    Thank You

  • Charles Nations


    June 17, 2018

    Thank you for the notice

  • Kazimieras


    June 18, 2018

    Thank you