Account data tied to 92 million users of the genealogy and DNA testing service MyHeritage were found on a third-party “private” server in a breach that exposed usernames and passwords of customers.
The breach is the largest since last year’s Equifax leak of 147.9 million pieces of private data ranging from Social Security numbers, birth dates, addresses and some driver’s license numbers.
Users who signed up for the service before October 26, 2017 are impacted, according to a MyHeritage statement released on Monday regarding the incident.
“Today, June 4, 2018 at approximately 1 p.m. EST, MyHeritage’s chief information security officer received a message from a security researcher that he had found a file named myheritage containing email addresses and hashed passwords, on a private server outside of MyHeritage,” the statement reads.
The company did not elaborate on the ownership or origin of the server. It did however confirm that the data originated from MyHeritage and included email addresses and hashed passwords of 92,283,889 users. No other data, such as user financial information, DNA and genealogy specifics, was found on the server hosting the data.
“We have no reason to believe that any other MyHeritage systems were compromised… Other types of sensitive data such as family trees and DNA data are stored by MyHeritage on segregated systems, separate from those that store the email addresses, and they include added layers of security. We have no reason to believe those systems have been compromised,” the firm said.
The Israeli-based MyHeritage said the hash key differs for each customer password, suggesting they were salted and hashed, making it harder for cybercriminals to decode the 92 million individual coded passwords.
The company noted it was complying with recently enacted General Data Protection Regulation (GDPR) rules form the European Union, given its multinational customer base. “We are taking steps to inform relevant authorities including as per GDPR,” the company said. Under GDPR rules, passed May 25, companies with customers inside the EU have 72 hours to report a breach after becoming aware of the incident.
The genealogy and DNA testing service company said it would be implementing two-factor authentication features for user accounts as well.
DNA databases have come under closer scrutiny as more online companies commoditize the service, offering genetic sequencing at low prices and warehouse the data. Privacy activist warn while DNA databases can be a boon when it comes to tracking down and arresting people such as Joseph James DeAngelo, the alleged “Golden State Killer,” DNA samples can also be leaked and abused by criminals or by over-reaching law enforcement officials.