MyHeritage, a DNA testing site, has revealed that the email addresses and hashed passwords of 92,283,889 users were exfiltrated in a breach which occurred in October 2017.
The company’s attention was drawn to the leak by a security researcher who found the file containing the data on a private server outside of MyHeritage. The file was determined to be legitimate.
However, the security researcher found no other data related to MyHeritage users on the server, and the company has assured users that email addresses appear to be the only leaked data, as the passwords were hashed, the website does not store payment card information, and sensitive material such as DNA data is stored in a segmented system with additional security layers.
The company also emphasised that there is no evidence that the data in the file was ever used by the hacker(s) who stole it,, and that there has been no indication that the accounts involved have been compromised in any way.
However, MyHeritage did not discuss how the hacker was able to gain access to the email addresses, so without knowledge of the vulnerability exploited it may be premature to say that no other data has been compromised.
In response to the breach, the company has set up an Information Security Incident Response Team, and is expediting its plans to introduce optional two-factor authentication.