Hack of DNA Website Exposes Data From 92 Million Accounts

(Bloomberg) -- Consumer genealogy website MyHeritage said that email addresses and password information linked to more than 92 million user accounts have been compromised in an apparent hacking incident.

MyHeritage said that its security officer had received a message from a researcher who unearthed a file named “myheritage” containing email addresses and encrypted passwords of 92,283,889 of its users on a private server outside the company.

“There has been no evidence that the data in the file was ever used by the perpetrators,” the company said in a statement late Monday.

MyHeritage lets users build family trees, search historical records and hunt for potential relatives. Founded in Israel in 2003, the site launched a service called MyHeritage DNA in 2016 that, like competitors Ancestry.com and 23andMe, lets users send in a saliva sample for genetic analysis. The website currently has 96 million users; 1.4 million users have taken the DNA test.

According to MyHeritage, the breach took place on Oct. 26, 2017, and affects users who signed up for an account through that date. The company said that it doesn’t store actual user passwords, but instead passwords encrypted with what’s called a one-way hash, with a different key required to access each customer’s data.

In some past breaches, however, hashing schemes have been successfully converted back into passwords. A hacker able to decrypt the hashed passwords exposed in the breach could access personal information accessible when logging into someone’s account, such as the identity of family members. But even if hackers were able to get into a customer’s account, it’s unlikely they could easily access raw genetic information, since a step in the download process includes email confirmation.

In its statement, the company emphasized that DNA data is stored “on segregated systems and are separate from those that store the email addresses, and they include added layers of security.”

MyHeritage has set up a 24/7 support team to assist customers affected by the breach. It plans to hire an independent cybersecurity firm to investigate the incident and potentially beef up security. In the meantime, users are advised to change their passwords.

As consumer DNA testing has grown into a $99 million industry, questions about the security of users’ intimate data have increased as well. After investigators tracked down a suspect in the Golden State Killer case using a genealogy website that, like MyHeritage, allows users to upload raw genetic information, privacy concerns about shared DNA data have also surged.

To contact the reporter on this story: Kristen V. Brown in San Francisco at kbrown340@bloomberg.net

To contact the editors responsible for this story: Drew Armstrong at darmstrong17@bloomberg.net, Timothy Annett, Mark Schoifet

©2018 Bloomberg L.P.