On Monday June 4th, Motherboard reported that DNA testing and genealogy website MyHeritage suffered a security breach in October 2017. A security researcher discovered a file located outside MyHeritage’s servers with email addresses and password hashes for over 92 million MyHeritage accounts. According to a statement from MyHeritage, no other data was compromised (MyHeritage does not store credit card information and keeps DNA data stored separately) and there is no evidence that the perpetrators used the data in the file.
The stolen passwords are hashed, meaning they are cryptographical representations of the passwords, instead of the actual passwords themselves. This means that an attacker could potentially try to crack the users’ passwords using brute force attack – typically by using a dictionary of names and combinations with numbers, generate a hash and compare with each user’s existing password hash to crack their credentials. With this type of information, they would also be able to coordinate a direct phishing campaign to the 92 million e-mails, which could be quite effective.
Once an attacker gets the credentials of a percentage of those users, they could try to use them on different services where the user might have an account with the same password. For example, if my account at MyHeritage uses the same username and password as my account at Amazon, they could use my cracked credentials to spend money with my Amazon account.
To be fair, MyHeritage responded to the breach notification promptly and has a good security setup in place already. According to my colleague Tracy Hillstrom, WatchGuard’s Director of Product Marketing, “The company describes a layered security approach – including network segmentation of DNA data, separate systems for credit card information, and storage of passwords with one-way hashes with a unique key for each customer – which likely helped to reduce the scope of data lost in the breach.”
According to the MyHeritage statement, the company plans to release a two-factor authentication feature to their users soon. This feature could have possibly prevented this breach, and multi-factor authentication (MFA) could help prevent users’ other accounts from being compromised if an attacker ends up cracking the MyHeritage data. Weak passwords are the cause of a high percentage of data breaches. With dozens of online accounts, few users are able to follow password best practices all the time. And with a rise in reported breaches containing user credentials, MFA is a key solution to block previously breached information from being used to access any businesses data.
A second point that will probably take more time for MyHeritage to evaluate, is HOW the user database was stolen. This information has not been released yet.
If your company sustains a data breach, consider these three tips:
- Find out how the user database was stolen, and fix that vulnerability quickly (MyHeritage is likely working on this now).
- Advise that all users change their passwords immediately (which could be ineffective if you don’t do step one first).
- Implement multi-factor authentication for all users, and for any type of privileged access to those databases (MyHeritage announced this shift which is a great step).
Learn more about multi-factor authentication here on Secplicity.