Data breaches are never fun, but they can be especially troubling when they happen on platforms with access to supersensitive information -- like your DNA.
On Monday, MyHeritage, a platform that offers DNA testing and genealogy services, learned it had been breached, after a security researcher reported finding a file that contained email addresses and hashed passwords on a private server.
The Israeli-based company's information security team reviewed the file and confirmed the data was from MyHeritage. It includes the email addresses and hashed passwords of the more than 92 million users who signed up for the platform up to Oct. 26, 2017, which was the date of the breach, according to a statement from MyHeritage.
The company said it doesn't store user passwords, and instead stores a one-way hash of every password, in which the hash key is different for every customer. "This means that anyone gaining access to the hashed passwords does not have the actual passwords," the company said.
The security researcher, whom MyHeritage didn't name, reported that the server didn't contain any other data related to the company. The company said there isn't any evidence that the data was ever improperly used. Since the date of the breach, MyHeritage said, "we have not seen any activity indicating that any MyHeritage accounts had been compromised."
MyHeritage said it believes the breach was limited to user email addresses, and that it has no reason to believe any other systems were compromised. Credit card information isn't stored on MyHeritage, it said, but is instead stored on "trusted third-party billing providers" like BlueSnap and PayPal.
As for sensitive DNA data and family tree information, MyHeritage says that info is stored on separate systems from the ones that store email addresses, "and they include added layers of security. We have no reason to believe those systems have been compromised," the company said.
MyHeritage recommends users change their passwords and said they should take advantage of a two-factor authentication feature the company plans to release soon. MyHeritage said it's set up an Information Security Incident Response Team to investigate the breach. It's also working with an independent cybersecurity firm, which will conduct reviews to determine the scope of the breach and offer suggestions on preventing something like this from happening again.
As DNA and genealogy platforms become more popular, privacy concerns will undoubtedly also rise. Current health privacy laws outdate platforms like 23andMe and Ancestry.com, and therefore don't adequately protect genetic privacy. Still, DNA sites could be promising for the future of medicine. The National Institutes of Health kicked off its All of Us project last month, which looks to tap genetic data to "uncover paths toward delivering precision medicine."
The platforms are also being used in another area: law enforcement. In April, open-source genealogy site GEDmatch was credited with helping. GEDmatch's co-founder said at the time that he didn't know his site's services were being used to pursue the killer, and he said the company doesn't give out data. That same database was used in May to .