You can edit almost every page by Creating an account. Otherwise, see the FAQ.

MyHeritage data breach

From EverybodyWiki Bios & Wiki

What Happened?[edit]

Earlier this year, in the summer of 2018, the company MyHeritage announced on their blog that data had been stolen on October 26th of 2017 by unknown perpetrators. The company found out through a third-party cyber-security firm who had informed the company that files containing sensitive information about the users. The information that was stolen was emails and hashed passwords of the 92,283,889 users that had signed up through October 26th of 2017[1]. Anyone that had signed up after that date is unaffected by the data breach. MyHeritage has stated that no other data was found on the server, and that there was no evidence of data in the file being used[1]. Any other information about family trees and DNA data are stored on separate systems, meaning that none of that data was part of the breach. MyHeritage wanted to ensure that it’s users’ passwords were secure even if the data was stolen, saying in their blog, “MyHeritage does not store user passwords, but rather a one-way hash of each password, in which the hash key differs for each customer. This means that anyone gaining access to the hashed passwords does not have the actual passwords”[1]. They have also ensured the users that the emails and hashed passwords have not been used, saying, “The security researcher reported that no other data related to MyHeritage was found on the private server. There has been no evidence that the data in the file was ever used by the perpetrators”[1].  This is good news for users of the service because that means that none of their sensitive information was accessed, let alone spread on the internet. Although hashed passwords are typically very protected, there may be some issues with simply using a hashed password as a single layer of protection. It is unknown how the perpetrators got access to the sensitive files, but MyHeritage has worked on raising security and security awareness throughout the company.

Possible Repercussions[edit]

When a user types in a password on such a system, the password handling software runs through a cryptographic hash algorithm, and if the hash value generated from the user’s entry matches the hash stored in the password database, the user is granted access. The hash value is created by applying a cryptographic hash function to a string consisting of the submitted password and, in many implementations, another value known as a ‘salt’. A salt prevents attackers from easily building a list of hash values for common passwords and prevents password cracking efforts from scaling across all users.[2]. It is unknown if MyHeritage uses a salt with their hashing because they do not explicitly state whether they do or do not use the salt with the hash. If they do not use a salt with the has function, the hash could be vulnerable to attacks like the rainbow table attack and other tables meant to reverse cryptographic hash functions, which are more efficient than simply cracking the hash[3]. Although, if the hash function is well designed, then it is computationally infeasible to decrypt the hash and the passwords are completely safe. However, the attacker can use widely available tools to try to guess the passwords of users through brute force[4]. The main concern about MyHeritage would be when an attacker gets access to the file of hashed passwords guessing can be done offline, rapidly testing candidate passwords against the true password's hash value. An off-line attacker (who gains access to the file) can guess at a rate limited only by the hardware on which the attack is running[5]. If the files accessed in the data breach of MyHeritage were somehow run through a powerful machine with a good decryption algorithm, then the passwords could have been accessed in some way or another. This is all speculation though because MyHeritage said that their security team along with the independent security investigator said, “There has been no evidence that the data in the file was ever used by the perpetrators”[1]

Steps Taken[edit]

MyHeritage has taken steps towards trying to ensure their users that their accounts and information are safe. Stating in their blog, “We believe the intrusion is limited to the user email addresses. We have no reason to believe that any other MyHeritage systems were compromised. As an example, credit card information is not stored on MyHeritage to begin with, but only on trusted third-party billing providers… utilized by MyHeritage".[1] As far as other types of sensitive data, MyHeritage ensured that the family trees, DNA data and other types of data are stored on separate segregated systems with extra layers of security, rather than just the hash algorithm[1]. This is good news regarding the data breach because it was just limited to emails and hashed passwords. MyHeritage went on to encourage users to reset their passwords on their email as well as their MyHeritage account, just to ensure further safety and ease of mind among users[6]. Along with resetting the passwords, MyHeritage published a two-factor authentication feature on June 6th, 2018, just a few days after the discovery of the breach, that will further secure the information of the users[6]. When enabled, it can secure your account against unauthorized access even if someone else knows your password. With Two-Factor Authentication, you designate a mobile phone and link it to your account by providing MyHeritage with its number. Then, any time you log in to your account from a new computer, tablet or phone, MyHeritage will send the user a six-digit verification code as a text (SMS) message to the designated mobile phone and the user would need to enter it on MyHeritage to complete the login successfully[6]. They are forcing every user to reset their passwords and expiring all the old passwords so that they do not work. Just in case users have questions about anything, they set up a 24/7 security customer support team to assist customers. The way that MyHeritage has handled the massive data breach is one of the most well-handled data breaches that has ever happened. Even though the data that was stolen was massive (over 92 million user accounts compromised), the company responded immediately with an apology statement, and saying that they are investigating deeply.

References[edit]

  1. 1.0 1.1 1.2 1.3 1.4 1.5 1.6 "MyHeritage Statement About a Cybersecurity Incident - MyHeritage Blog". blog.myheritage.com. 2018-06-04. Retrieved 2018-11-05.
  2. Alexander, Steven (2012-06-20). "The Bug Charmer: Passwords Matter". The Bug Charmer. Retrieved 2018-11-05.
  3. Florencio, Dinei; Herley, Cormac; Oorschot, Paul C. van (2014-11-01). "An Administrator's Guide to Internet Password Research" (PDF). Usenix LISA.
  4. "PINs and Passwords, Part 2". www.sleuthsayers.org. Retrieved 2018-11-05.
  5. "Password", Wikipedia, 2018-10-16, retrieved 2018-11-05
  6. 6.0 6.1 6.2 "Cybersecurity Incident: June 10 Update - MyHeritage Blog". blog.myheritage.com. 2018-06-10. Retrieved 2018-11-05.


This article "MyHeritage data breach" is from Wikipedia. The list of its authors can be seen in its historical and/or the page Edithistory:MyHeritage data breach. Articles copied from Draft Namespace on Wikipedia could be seen on the Draft Namespace of Wikipedia and not main one.