MyHeritage hack affects 92 million customers, reveals more risks with genealogy sites

Finding the roots of your family tree can be risky.

The accounts of 92 million customers of DNA testing and genealogy service MyHeritage have been compromised, the company announced this week. A security researcher alerted the Israeli-based company of a file containing email addresses and “hashed” passwords of millions of MyHeritage users on a third-party’s server. It impacts customers who signed up to MyHeritage up to and including Oct. 26, 2017, the date of the breach.

Hashed passwords are protected with encryption, although privacy experts say hackers may still be able to crack the code. The company disagrees. “MyHeritage does not store user passwords, but rather a one-way hash of each password, in which the hash key differs for each customer,” the Israel-based company said in a statement. “This means that anyone gaining access to the hashed passwords does not have the actual passwords.”

Don’t miss: Genealogy sites are Wild West of privacy

There is no evidence any MyHeritage accounts or related accounts have been affected, as credit-card information is not stored on MyHeritage and neither are family tree or DNA data, Omer Deutsch, chief information security officer at MyHeritage, said in a statement. “We have no reason to believe those systems have been compromised,” he said. The site set up a 24/7 security customer support team to assist customers who have concerns or questions about the incident.

Still, the breach underscores ongoing concerns about privacy in DNA testing, which has come with unforeseen consequences like data being accessed by law enforcement officials, sites uncovering secret relatives or, in some cases, surprises about the paternity of children. In April, authorities arrested a man believed to be the Golden State Killer by submitting the DNA sample to genealogy site GEDMatch under a fake name.

Breaches will only become more common as hackers find new loopholes to access data, said George Avetisov, chief executive officer of decentralized authentication company HYPR. Hackers often reuse the same log-in credentials to try to get into other accounts. “No matter how much a company invests in securing their password database, they’re only as secure as the MyHeritages of the world,” he said.

Despite continued recommendations by privacy experts, the majority of Americans still reuse passwords across sites. Security experts highly recommend using a different password for every website, implementing two-factor authentication, and investing in a good password manager to keep track of it all. For maximum safety, customer service representatives recommend customers change their password on MyHeritage.