A data breach at MyHeritage, an online genealogy platform and direct-to-consumer genetic testing service, exposed the email addresses and hashed passwords of 92 million customers in October.
MyHeritage provides an online platform for users to create family trees, search historical records and — through its MyHeritage DNA business — "uncover your ethnic origins and find new relatives," according to the company's website.
MyHeritage confirmed the breach in a statement June 4 — the same day the company said it learned of the cybersecurity incident.
Here are four things to know about the breach:
1. An unamed security researcher told MyHeritage June 4 he had found a file named "myheritage" on a private, third-party server. MyHeritage's information security team reviewed the file and confirmed its contents included email addresses and hashed passwords from MyHeritage users who had signed up for the company's services up to October 26, 2017, the date of the breach.
2. In its statement, MyHeritage emphasized the breach did not affect users' passwords, only the "hashed" counterpart the company holds.
"MyHeritage does not store user passwords, but rather a one-way hash of each password, in which the hash key differs for each customer," the statement reads. "This means that anyone gaining access to the hashed passwords does not have the actual passwords."
3. MyHeritage noted there is no evidence credit card information, family trees or DNA data were compromised, and said the company has not seen any activity indicating MyHeritage accounts have been compromised. "There has been no evidence that the data in the file was ever used by the perpetrators," the company wrote.
4. The company did not explain how the breach occurred, but said it plans to hire an independent cybersecurity firm to determine the scope of the intrusion. MyHeritage also said it plans to expedite its work on a two-factor authentication feature, which it encourages all users to enroll in upon release.
In the meantime, the company suggested all MyHeritage users change their password for "maximum safety."