92 Million User Credentials Exposed in MyHeritage Data Breach
7.6.18 securityweek Incindent

[Updated] MyHeritage, a DNA and genealogy firm, announced Monday that the access credentials of 92 million users had been stolen. It only discovered the breach when a security researcher informed the company he had found a file named myheritage stored outside of MyHeritage.

The file contains, writes MyHeritage CISO Omer Deutsch in a statement, "the email addresses and hashed passwords of 92,283,889 users who had signed up to MyHeritage up to and including Oct 26, 2017 which is the date of the breach." He stresses that the passwords are stored as "a one-way hash of each password, in which the hash key differs for each customer" (possibly implying that each password is hashed with a unique salt).

Deutsch believes that only the credentials were stolen. "We have no reason to believe that any other MyHeritage systems were compromised." Furthermore, he adds, "we have not seen any activity indicating that any MyHeritage accounts had been compromised." Payment data, user DNA data and family trees have not been affected.

MyHeritage went public with commendable speed – on the same day it learnt of the breach. However, some aspects of the statement are concerning. For example, it immediately set up an incident response team to investigate the incident. Best practice would have such a team already established in anticipation of a breach.

The firm is expediting "work on the upcoming two-factor authentication feature that we will make available to all MyHeritage users soon." Best practice would have had MFA in place long ago. Furthermore, it will 'recommend' rather than require users to employ the MFA option. It also recommends users should change their passwords, when it should perhaps force a password reset on all users.

"It appears that MyHeritage hasn't taken the steps to automatically require users to change passwords, just that they recommend they do," comments Absolute Software's Global Security Strategist Richard Henderson. "That should be an immediate action for any breach of this type. We still don't know (and neither do they) how this information was stolen, or the motives for doing so... and the statement by MyHeritage that they believe no other data was taken, especially unique DNA information and genealogy information, is probably a little premature, until they can determine exactly what happened late last October."

The reassuring tone of the MyHeritage statement is also challenged by Anthony James, CMO of CipherCloud. "Don't believe for a second that a hashed password is safe," he says. "Hashed passwords are absolutely not safe if stolen – these hashed passwords are still highly vulnerable to a dictionary attack, where the attacker runs a hash function against the top 100,000 most popular passwords and computes the hash function against all of them. Then all they need do is compare these calculated values to the list stolen from MyHeritage. So, NO, a smart cyber-attacker could be working diligently, even now, to map the hashed values to real passwords and break the accounts."

The unknown quality of the hashing function could make the credential cracking more difficult, but not necessarily impossible. Furthermore, it may not be necessary if the user has had the same password with the same email address stolen in a different breach with a weak hash function. SecurityWeek has contacted MyHeritage asking for further details on the hashing process, and will update this report with any response.

Rick Moy, CMO at Acalvio, is concerned that MyHeritage did not itself detect the intrusion, "as demonstrated by the seven-month delay, and the fact they were alerted by a third party." The implication is that the firm does not have adequate detection capabilities – and if it failed to detect this, there may be other incidents with the other systems that have also gone undetected.

This possibility also concerns Rashmi Knowles, EMEA Field CTO at RSA Security. "If your password is stolen, it can be updated, but this isn't the case with genetic information," she warns. "You only have one genetic identity, so if this is stolen there are potentially much more serious consequences. But many people don't think about this when applying for such services. No matter how secure the organization, no one is completely risk-free, and if breached, genetic data could be sold on to other hackers without your consent, or the characteristic data it contains could be used to hijack your online accounts. There's even a possibility that hackers can amend or even delete genetic data in some cases, which could have serious implications for the victim and the level of healthcare or even health insurance they could access in the future."

There is potentially an additional side-story to this incident. MyHeritage reports, "We are taking steps to inform relevant authorities including as per GDPR." SecurityWeek has asked MyHeritage to expand on this. Who are the relevant GDPR authorities for MyHeritage?

The firm lists numerous contact phone numbers in various European countries, including the provision of "24/7 support" from the Irish phone. This suggests that the Irish regulator may be the relevant GDPR authority for MyHeritage. There is little doubt that MyHeritage is liable under GDPR, and it seems that it is reachable by the GDPR authorities via its European offices. The only question here is whether Europe will decide to make a high-profile example of MyHeritage early into the GDPR age.

But what about the researcher? Is he or she also liable under GDPR for unsanctioned storage of and access to European PII? It is a moot point. The UK's Information Commissioner's Office has told SecurityWeek that researchers are exempt from GDPR under the principle of 'legitimate interest'.

This is not the view of David Flint, senior partner at MacRoberts LLP. Asked if researchers should be concerned about GDPR, he told SecurityWeek, "The short answer is YES! Under the GDPR/DPA 18 the researcher couldn't be a Processor (as he is not acting on instructions of a Controller) therefore he must be a Controller."

So, as a controller, "If a researcher comes across that data he should advise all the Data Subjects that he has the data and what he intends to do with it, sending them a Privacy Notice. (article 14). Article 89 GDPR deals with an exemption for historical research which doesn't seem relevant here."

It is interesting times. MyHeritage users will need to wait to see if their DNA has or may be compromised, researchers will need to wait to see if GDPR may be enforced against them; and businesses around the world – including MyHeritage – will be waiting to see how forcefully GDPR will be enforced by the European Union.

Update

In a new blog posted Wednesday, MyHeritage has announced that it will be retiring all existing MyHeritage passwords. "To maximize the security of our users, we have started the process of expiring ALL user passwords on MyHeritage," writes CISO Omer Deutsch. "This process will take place over the next few days. It will include all 92.3 million affected user accounts plus all 4 million additional accounts that have signed up to MyHeritage after the breach date of October 26, 2017. As of now, we’ve already expired the passwords of more than half of the user accounts on MyHeritage. Users whose passwords were expired are forced to set a new password and will not be able to access their account and data on MyHeritage until they complete this."