X

MyHeritage DNA testing service says breach affected 92M users' data

The data includes email addresses and hashed passwords.

Abrar Al-Heeti Technology Reporter
Abrar Al-Heeti is a technology reporter for CNET, with an interest in phones, streaming, internet trends, entertainment, pop culture and digital accessibility. She's also worked for CNET's video, culture and news teams. She graduated with bachelor's and master's degrees in journalism from the University of Illinois at Urbana-Champaign. Though Illinois is home, she now loves San Francisco -- steep inclines and all.
Expertise Abrar has spent her career at CNET analyzing tech trends while also writing news, reviews and commentaries across mobile, streaming and online culture. Credentials
  • Named a Tech Media Trailblazer by the Consumer Technology Association in 2019, a winner of SPJ NorCal's Excellence in Journalism Awards in 2022 and has three times been a finalist in the LA Press Club's National Arts & Entertainment Journalism Awards.
Abrar Al-Heeti
3 min read
myheritage-dna-kit-components
MyHeritage

Data breaches are never fun, but they can be especially troubling when they happen on platforms with access to supersensitive information -- like your DNA. 

On Monday, MyHeritage, a platform that offers DNA testing and genealogy services, learned it had been breached, after a security researcher reported finding a file that contained email addresses and hashed passwords on a private server. 

The Israeli-based company's information security team reviewed the file and confirmed the data was from MyHeritage. It includes the email addresses and hashed passwords of the more than 92 million users who signed up for the platform up to Oct. 26, 2017, which was the date of the breach, according to a statement from MyHeritage.  

The company said it doesn't store user passwords, and instead stores a one-way hash of every password, in which the hash key is different for every customer. "This means that anyone gaining access to the hashed passwords does not have the actual passwords," the company said.

The security researcher, whom MyHeritage didn't name, reported that the server didn't contain any other data related to the company. The company said there isn't any evidence that the data was ever improperly used. Since the date of the breach, MyHeritage said, "we have not seen any activity indicating that any MyHeritage accounts had been compromised."

MyHeritage said it believes the breach was limited to user email addresses, and that it has no reason to believe any other systems were compromised. Credit card information isn't stored on MyHeritage, it said, but is instead stored on "trusted third-party billing providers" like BlueSnap and PayPal.

As for sensitive DNA data and family tree information, MyHeritage says that info is stored on separate systems from the ones that store email addresses, "and they include added layers of security. We have no reason to believe those systems have been compromised," the company said.

MyHeritage recommends users change their passwords and said they should take advantage of a two-factor authentication feature the company plans to release soon. MyHeritage said it's set up an Information Security Incident Response Team to investigate the breach. It's also working with an independent cybersecurity firm, which will conduct reviews to determine the scope of the breach and offer suggestions on preventing something like this from happening again.

As DNA and genealogy platforms become more popular, privacy concerns will undoubtedly also rise. Current health privacy laws outdate platforms like 23andMe and Ancestry.com, and therefore don't adequately protect genetic privacy. Still, DNA sites could be promising for the future of medicine. The National Institutes of Health kicked off its All of Us project last month, which looks to tap genetic data to "uncover paths toward delivering precision medicine." 

The platforms are also being used in another area: law enforcement. In April, open-source genealogy site GEDmatch was credited with helping catch the Golden State Killer suspect. GEDmatch's co-founder said at the time that he didn't know his site's services were being used to pursue the killer, and he said the company doesn't give out data. That same database was used in May to identify the suspect in a 1987 homicide.