About a Cybersecurity Incident
By Omer Deutsch,
Chief Information Security Officer, MyHeritage
June 6, 2018
June 4, 2018 at approximately 1pm EST, MyHeritage’s Chief Information
Security Officer received a message from a security researcher that he
had found a file named myheritage containing email addresses and hashed
passwords, on a private server outside of MyHeritage. Our Information
Security Team received the file from the security researcher, reviewed
it, and confirmed that its contents originated from MyHeritage and
included all the email addresses of users who signed up to MyHeritage up
to October 26, 2017, and their hashed passwords.
Immediately upon receipt of the file, MyHeritage’s Information Security
Team analyzed the file and began an investigation to determine how its
contents were obtained and to identify any potential exploitation of the
MyHeritage system. We determined that the file was legitimate and
included the email addresses and hashed passwords of 92,283,889 users
who had signed up to MyHeritage up to and including Oct 26, 2017 which
is the date of the breach. MyHeritage does not store user passwords, but
rather a one-way hash of each password, in which the hash key differs
for each customer. This means that anyone gaining access to the hashed
passwords does not have the actual passwords.
The security researcher reported that no other data related to
MyHeritage was found on the private server. There has been no evidence
that the data in the file was ever used by the perpetrators. Since Oct
26, 2017 (the date of the breach) and the present we have not seen any
activity indicating that any MyHeritage accounts had been compromised.
We believe the intrusion is limited to the user email addresses. We have
no reason to believe that any other MyHeritage systems were compromised.
As an example, credit card information is not stored on MyHeritage to
begin with, but only on trusted third-party billing providers (e.g.
BlueSnap, PayPal) utilized by MyHeritage. Other types of sensitive data
such as family trees and DNA data are stored by MyHeritage on segregated
systems, separate from those that store the email addresses, and they
include added layers of security. We have no reason to believe those
systems have been compromised.
Steps We’ve Taken
Immediately upon learning about the incident, we set up an Information
Security Incident Response Team to investigate the incident. We are also
taking immediate steps to engage a leading, independent cybersecurity
firm to conduct comprehensive forensic reviews to determine the scope of
the intrusion; and to conduct an assessment and provide recommendations
on steps that can be taken to help prevent such an incident from
occurring in the future.
We are taking steps to inform relevant authorities including as per
We will be expediting our work on the upcoming two-factor authentication
feature that we will make available to all MyHeritage users soon. This
will allow users interested in taking advantage of it, to authenticate
themselves using a mobile device in addition to a password, which will
further harden their MyHeritage accounts against illegitimate access.
We set up a 24/7 security customer support team to assist customers who
have concerns or questions about the incident.
What Our Users Should Do
users who have questions or concerns about this incident can contact our
security customer support team via email on email@example.com or by
phone via the toll-free number (USA) +1 888 672 2875, available 24/7.
For all registered users of MyHeritage, we recommend that for maximum
safety, they change their password on MyHeritage. The procedure for
doing this is described in the MyHeritage FAQ article. Once MyHeritage
releases the upcoming two-factor-authentication feature, we recommend to
all our users to take advantage of it.
For now, there are no other actions that MyHeritage users need to take
as a result of this incident. However, we always recommend that you take
the time to evaluate your security practices. Please, avoid using the
same password for multiple services or websites. It’s good practice to
use stronger passwords and to change them often.
As always, your privacy and the security of your data are our highest
priority. We continually assess our procedures and policies and seek new
ways to improve our approach to security. We understand the importance
of our role as custodians of your information and work every day to earn
Thank you for your understanding.