Company learned of the attack when a security researcher sent a data file.
Email addresses and hashed passwords of more than 92 million MyHeritage users were exposed in a cybersecurity breach on October 26, 2017, the popular genealogy company reported Monday, June 4, 2018.
MyHeritage said that it only learned of the breach earlier that day—more than seven months after the fact—when an unidentified “security researcher” sent the company’s chief information security officer a message. The researcher said they had found a file containing users’ data on a private server and passed a copy of the file along.
MyHeritage, which allows users to set up family trees and probe their DNA for clues about their ancestry, promptly reported the breach in a blog post, writing:
Our Information Security Team received the file from the security researcher, reviewed it, and confirmed that its contents originated from MyHeritage and included all the email addresses of users who signed up to MyHeritage up to October 26, 2017, and their hashed passwords.
The post went on to explain that the company does not store user passwords, only a one-way hash of each password, and the hash key, known as salt, differs for each user. Having a hashed password does not mean that the real password is revealed. Nevertheless, the company recommends that all users change their passwords “for maximum safety.”