Not so happy families: Online genealogy website suffers data breach

By Cameron Abbott, Rob Pulham and Sarah Goegan

Online genealogy platform MyHeritage suffered a major data breach in which email addresses and hashed passwords of over 92 million users were leaked. The data breach occurred in October 2017, but was not discovered until 4 June 2018.

MyHeritage became aware of the breach after a security researcher found a file named “myheritage” on a private server. The file contained all the email addresses of MyHeritage users who signed up through to 26 October 2017, and their hashed passwords.

MyHeritage stated there was no evidence the data in the file had been used by the perpetrators. It claimed that it does not store user passwords, but a “one-way hash” of each password, which means that whoever accessed the data did not have access to the actual passwords. MyHeritage also offers DNA testing services, but assured users that DNA data and family trees were not affected, as they are stored on segregated systems to email addresses, and have added layers of security.

The increasing popularity of DNA and genealogy sites makes them ripe targets for cyberattacks. The sensitive nature of the information uploaded to these sites – which includes genetic data – makes leaking of user information a concerning prospect.

Ancestry platforms have seen some major developments, not only from their rising popularity, but also in how they are being used by law enforcement agencies for purposes that may not have been fully anticipated by their users (or their distant relatives). In May we blogged about how the Golden State Killer was caught using DNA matched on open genealogy website GEDmatch. It has also been reported recently that investigators are attempting to use those same methods to try and catch the notorious Zodiac Killer.

Copyright © 2024, K&L Gates LLP. All Rights Reserved.