The security experts found no evidence of other user data on the server, and because the passwords were hashed, only the email addresses were readable. The website now has 96 million users from around the world with 1.4 million of them who have taken the DNA test. The company doesn't store users' actual passwords; it transforms them into a jumble of characters, and performs the same operation when you enter your password to see if it matches the stored data.
Hashing passwords is a one-way encryption process allowing sensitive data to be stored easily, and although there are theoretically ways to reverse hashing, they involve vast amounts of computing power and quite a bit of luck.
No other MyHeritage data was found on the server, and the company says it has "no reason to believe that any other MyHeritage systems were compromised". A hacker able to decrypt the hashed passwords exposed in the breach could access personal information accessible when logging into someone's account, such as the identity of family members.
The Israeli-based company's information security team reviewed the file and confirmed the data was from MyHeritage. This server contained email addresses and hashed passwords. After investigators tracked down a suspect in the Golden State Killer case using a genealogy website that, like MyHeritage, allows users to upload raw genetic information, privacy concerns about shared DNA data have also surged.
Microsoft announces $7.5 billion GitHub acquisition
The startup has made a name for itself as a place where developers learn, share and work together to create new software. The company announced Monday that it is buying GitHub for $7.5 billion.
"Here's what many consumers don't realize, that their sensitive information can end up in the hands of unknown third-party companies", Schumer said last November. But, Hercher said, the security breach involving MyHeritage doesn't seem to be any different than security breaches at other companies that don't work with genetic information.
MyHeritage has also taken steps to inform relevant authorities, as per new GDPR rules.
In the meantime, it urged users to change their passwords.
However, MyHeritage has reemphasized in its statement that it hosts its DNA data on "a segregated system", which includes added layers of security, and no data has been breached.
Two-factor authentication was already in development, but the team is "expediting" its rollout, so if you're a user, be sure to set that up as soon as it's available.