MyHeritage Statement About a Cybersecurity Incident

MyHeritage Statement About a Cybersecurity Incident

Comments14

Today, June 4, 2018 at approximately 1pm EST, MyHeritage’s Chief Information Security Officer received a message from a security researcher that he had found a file named myheritage containing email addresses and hashed passwords, on a private server outside of MyHeritage. Our Information Security Team received the file from the security researcher, reviewed it, and confirmed that its contents originated from MyHeritage and included all the email addresses of users who signed up to MyHeritage up to October 26, 2017, and their hashed passwords.

Immediately upon receipt of the file, MyHeritage’s Information Security Team analyzed the file and began an investigation to determine how its contents were obtained and to identify any potential exploitation of the MyHeritage system. We determined that the file was legitimate and included the email addresses and hashed passwords of 92,283,889 users who had signed up to MyHeritage up to and including Oct 26, 2017 which is the date of the breach. MyHeritage does not store user passwords, but rather a one-way hash of each password, in which the hash key differs for each customer. This means that anyone gaining access to the hashed passwords does not have the actual passwords.

The security researcher reported that no other data related to MyHeritage was found on the private server. There has been no evidence that the data in the file was ever used by the perpetrators. Since Oct 26, 2017 (the date of the breach) and the present we have not seen any activity indicating that any MyHeritage accounts had been compromised.

We believe the intrusion is limited to the user email addresses. We have no reason to believe that any other MyHeritage systems were compromised. As an example, credit card information is not stored on MyHeritage to begin with, but only on trusted third-party billing providers (e.g. BlueSnap, PayPal) utilized by MyHeritage. Other types of sensitive data such as family trees and DNA data are stored by MyHeritage on segregated systems, separate from those that store the email addresses, and they include added layers of security. We have no reason to believe those systems have been compromised.

Steps We’ve Taken

Immediately upon learning about the incident, we set up an Information Security Incident Response Team to investigate the incident. We are also taking immediate steps to engage a leading, independent cybersecurity firm to conduct comprehensive forensic reviews to determine the scope of the intrusion; and to conduct an assessment and provide recommendations on steps that can be taken to help prevent such an incident from occurring in the future.

We are taking steps to inform relevant authorities including as per GDPR.

We will be expediting our work on the upcoming two-factor authentication feature that we will make available to all MyHeritage users soon. This will allow users interested in taking advantage of it, to authenticate themselves using a mobile device in addition to a password, which will further harden their MyHeritage accounts against illegitimate access.

We set up a 24/7 security customer support team to assist customers who have concerns or questions about the incident.

What Our Users Should Do

MyHeritage users who have questions or concerns about this incident can contact our security customer support team via email on privacy@myheritage.com or by phone via the toll-free number (USA) +1 888 672 2875, available 24/7.

For all registered users of MyHeritage, we recommend that for maximum safety, they change their password on MyHeritage. The procedure for doing this is described in the MyHeritage FAQ article. Once MyHeritage releases the upcoming two-factor-authentication feature, we recommend to all our users to take advantage of it.

For now, there are no other actions that MyHeritage users need to take as a result of this incident. However, we always recommend that you take the time to evaluate your security practices. Please, avoid using the same password for multiple services or websites. It’s good practice to use stronger passwords and to change them often.

Going Forward

As always, your privacy and the security of your data are our highest priority. We continually assess our procedures and policies and seek new ways to improve our approach to security. We understand the importance of our role as custodians of your information and work every day to earn your trust.

Thank you for your understanding.

Contact

Omer Deutsch
Chief Information Security Officer, MyHeritage
Email: dpo@myheritage.com

Leave a comment

The email address is kept private and will not be shown

  • Aileen Susan Jeffery


    June 9, 2018

    I really enjoy finding new family connections through MyHeritage, I check all the listed names to make sure they are linked to my Ancestors and save the emails. Thank you. Susan Jeffer

  • Milton J. Hanlan


    June 10, 2018

    It is a good feeling to know you folks are really looking after us. May GOD bless each & every one of you. Milton Hanlan.

  • Antonio Pabalan


    June 11, 2018

    Thank you, so very much. Quite pleased that you are on the alert, for all of us.

  • Jill Kramer


    June 12, 2018

    It is good you have reacted so quickly. Thank you

  • Betty Arrington Harrison


    June 14, 2018

    thank you for6 protecting our si-te

  • Dakota May Thompson


    June 15, 2018

    This is something new & I really like it

  • alinaghi Mirmoayedi


    June 15, 2018

    Thank you for your action for protecting our informations..Alinaghi Mirmoayedi

  • Sandra Simpson


    June 16, 2018

    I really love findings our history

  • cathy griffin


    June 17, 2018

    I have not use MyHeritage account cause it cost to much at that time or any time so I am glad to see you are updated to find things out keep the good work up.

  • Vivien Phillips


    June 17, 2018

    I’m so glad you all at MyHeritage are looking out for your customer’s thank you

  • KR Harrold


    June 17, 2018

    Thank you for your updates. I am glad to know your site has the integrity to alert us in the same timely fashion. I don’t remember my own password to Change it.

  • Anna Rice


    June 17, 2018

    Think I will change my password even though the smart losers “supposedly” can’t get into anyone’s family tree or whatever. If I can get on the website that is.

  • Heather Jayne Thornton-Dutton


    June 18, 2018

    Thank you for letting me know of this information. I hopefully would like to one day carrying on with my family history. It’s important to me. But due to on going illness I’m finding it difficult to carry out even the simplest tasks. Thanks once again.

  • Marie Johnson


    June 19, 2018

    I haven’t used it yet but once I do I will update it after I’ve used it.