Consumer genealogy website MyHeritage said that email addresses and password information linked to more than 92 million user accounts have been compromised in an apparent hacking incident.
MyHeritage said that its security officer had received a message from a researcher who unearthed a file named “myheritage” containing email addresses and encrypted passwords of 92,283,889 of its users on a private server outside the company.
“There has been no evidence that the data in the file was ever used by the perpetrators,” the company said in a statement late Monday.
MyHeritage lets users build family trees, search historical records and hunt for potential relatives. Founded in Israel in 2003, the site launched a service called MyHeritage DNA in 2016 that, like competitors Ancestry.com and 23andMe, lets users send in a saliva sample for genetic analysis. The website currently has 96 million users; 1.4 million users have taken the DNA test.
According to MyHeritage, the breach took place on Oct. 26, 2017, and affects users who signed up for an account through that date. The company said that it doesn’t store actual user passwords, but instead passwords encrypted with what’s called a one-way hash, with a different key required to access each customer’s data. So we ask “Why did it take so long to declare a breach”
In some past breaches, however, hashing schemes have been successfully converted back into passwords. A hacker able to decrypt the hashed passwords exposed in the breach could access personal information accessible when logging into someone’s account, such as the identity of family members. But even if hackers were able to get into a customer’s account, it’s unlikely they could easily access raw genetic information, since a step in the download process includes email confirmation.
In its statement, the company emphasized that DNA data is stored “on segregated systems and are separate from those that store the email addresses, and they include added layers of security.”
MyHeritage has set up a 24/7 support team to assist customers affected by the breach. It plans to hire an independent cybersecurity firm to investigate the incident and potentially beef up security. In the meantime, users are advised to change their passwords.
Why would hackers “Criminals” want to steal and then sell DNA back for ransom? Hackers could threaten to revoke access or post the sensitive information online if not given money. This data could be very valuable to insurance companies (Medical, and Life), mortgage companies, and then you ask “why”? In a world where data is posted online, it could be used to genetically discriminate against people, such as denying mortgages or increasing insurance costs. (it doesn’t help that interpreting genetics is complicated and many people don’t understand the probabilities anyway.) This data could be sold on the down-low or monetized to insurance companies, You can imagine the consequences: One day, I might apply for a long-term loan and get rejected because deep in the corporate system, there is data that I am very likely to get Alzheimer’s and die before I would repay the loan. In the future, if genetic data becomes commonplace enough, people might be able to pay a fee and get access to someone’s genetic data, the way we can now access someone’s criminal background.
Case and point, Sacramento investigators tracked down East Area Rapist suspect Joseph James DeAngelo using genealogical websites that contained genetic information from a relative, the Sacramento County District Attorney’s Office confirmed Thursday.
The effort was part of a painstaking process that began by using DNA from one of the crime scenes from years ago and comparing it to genetic profiles available online through various websites that cater to individuals wanting to know more about their family backgrounds by accepting DNA samples, said Chief Deputy District Attorney Steve Grippi.