• Articles
    • Editorial Articles
    • Research Articles
    • WatchGuard Articles
  • The 443 Podcast
  • Threat Landscape
  • About
    • About Us
    • Contact Us
    • Contribute to Secplicity

Secplicity - Security Simplified

Powered by WatchGuard Technologies

MyHeritage DNA Testing Service Breach Highlights The Importance of Two-Factor Authentication

June 6, 2018 By Alexandre Cagnoni


On Monday June 4th, Motherboard reported that DNA testing and genealogy website MyHeritage suffered a security breach in October 2017. A security researcher discovered a file located outside MyHeritage’s servers with email addresses and password hashes for over 92 million MyHeritage accounts. According to a statement from MyHeritage, no other data was compromised (MyHeritage does not store credit card information and keeps DNA data stored separately) and there is no evidence that the perpetrators used the data in the file.

The stolen passwords are hashed, meaning they are cryptographical representations of the passwords, instead of the actual passwords themselves. This means that an attacker could potentially try to crack the users’ passwords using brute force attack – typically by using a dictionary of names and combinations with numbers, generate a hash and compare with each user’s existing password hash to crack their credentials. With this type of information, they would also be able to coordinate a direct phishing campaign to the 92 million e-mails, which could be quite effective.

Once an attacker gets the credentials of a percentage of those users, they could try to use them on different services where the user might have an account with the same password. For example, if my account at MyHeritage uses the same username and password as my account at Amazon, they could use my cracked credentials to spend money with my Amazon account.

To be fair, MyHeritage responded to the breach notification promptly and has a good security setup in place already. According to my colleague Tracy Hillstrom, WatchGuard’s Director of Product Marketing, “The company describes a layered security approach – including network segmentation of DNA data, separate systems for credit card information, and storage of passwords with one-way hashes with a unique key for each customer – which likely helped to reduce the scope of data lost in the breach.”

According to the MyHeritage statement, the company plans to release a two-factor authentication feature to their users soon. This feature could have possibly prevented this breach, and multi-factor authentication (MFA) could help prevent users’ other accounts from being compromised if an attacker ends up cracking the MyHeritage data. Weak passwords are the cause of a high percentage of data breaches. With dozens of online accounts, few users are able to follow password best practices all the time. And with a rise in reported breaches containing user credentials, MFA is a key solution to block previously breached information from being used to access any businesses data.

A second point that will probably take more time for MyHeritage to evaluate, is HOW the user database was stolen. This information has not been released yet.

If your company sustains a data breach, consider these three tips:

  1. Find out how the user database was stolen, and fix that vulnerability quickly (MyHeritage is likely working on this now).
  2. Advise that all users change their passwords immediately (which could be ineffective if you don’t do step one first).
  3. Implement multi-factor authentication for all users, and for any type of privileged access to those databases (MyHeritage announced this shift which is a great step).

Learn more about multi-factor authentication here on Secplicity.

Share This:

Related

Filed Under: Editorial Articles, Featured

Leave a Reply Cancel reply

Your email address will not be published. Required fields are marked *

The 443 Podcast

A weekly podcast featuring the leading white-hat hackers and security researchers. Listen Now
the 443 podcast

Threat Landscape

Filter and view Firebox Feed data by type of attack, region, country, and date range. View Now
threat landscape

Top Posts

  • Cybersecurity News: Free Cybersecurity Training, TrickBot Group Exposed, Major GoDaddy Breach, and Russia to Legalize cybercrime?!
  • US National Cybersecurity Strategy
  • Here Come The Regulations
  • An Update on Section 230

Email Newsletter

Sign up to get the latest security news and threat analysis delivered straight to your inbox

By signing up you agree to our Privacy Policy.


The views and opinions expressed on this website are those of the authors and do not necessarily reflect the policy or position of WatchGuard Technologies.

Stay in Touch

Recent Posts

  • 3CX Supply Chain Attack
  • The NSA’s Guidance on Securing Authentication
  • Cybersecurity News: LastPass Incident Revealed, White House Issues Cybersecurity Strategy, FBI Purchases Leaked USHOR PII Data, and a Slew of Other Breaches
  • An Update on Section 230
  • Here Come The Regulations
View All

Search

Archives

Copyright © 2023 WatchGuard Technologies · Cookie Policy · Privacy Policy · Terms of Use