MyHeritage, one of the nation’s most popular online genealogy sites, said a security breach had affected the email addresses and hashed passwords of 92 million users, raising concerns about the security of more sensitive data that the company collects.
The website allows users to create family trees, search historical records, and look for possible relatives. It also operates MyHeritage DNA, a genetic testing service that lets users to send in their spit and have their genetic information analyzed.
In a statement issued late Monday afternoon, MyHeritage said there was “no reason to believe” that data other than email addresses and hashed passwords had been accessed without authorization. Family trees or genetic data, it said, are stored on different systems with “added layers of security.”
A security researcher contacted the company after discovering a file named “myheritage” on a private server, MyHeritage said. The company reviewed the file and confirmed it contained the email addresses of every user who had signed up for MyHeritage before Oct. 26, 2017, along with their hashed passwords, which conceal a user’s actual password.
The security breach underscores growing concerns about the privacy of data submitted to genealogy platforms. Last month, news that investigators tracked down their suspect in the case of the Golden State Killer sparked worry about the privacy of genetic data shared with commercial sites such as MyHeritage.
Other genealogy sites, such as 23andMe, have security systems similar to the one apparently used by MyHeritage. Last year, 23andMe CEO Anne Wojcicki told Recode that the company keeps genetic information “totally separate” from information that could be used to identify a user, such as email addresses.
A study published in 2017 found that genetic testing sites could be vulnerable to computer hacks that expose personal genetic information.
Researchers at the University of Washington encoded a strand of DNA to contain malware, which allowed them to take remote control of a computer that was being used to process genetic data. And while the researchers stressed the chances of that kind of attack are minimal, they found a host of vulnerabilities in the commercial programs that are used to analyze DNA.
“Any programs that process data can potentially be attacked,” said Peter Ney, a doctoral student in UW’s Paul G. Allen School of Computer Science & Engineering, told STAT at the time. “In many cases, the best practices for security are not being used.”
Even if genetic data from a commercial site like MyHeritage is compromised, it’s not clear how they might be used. That does not tend to allay consumer anxiety, experts say.
“When you put DNA and privacy together in a sentence, understandably and correctly, it makes people nervous,” said Laura Hercher, a professor at Sarah Lawrence College who teaches about genetics and ethics. But, Hercher said, the security breach involving MyHeritage doesn’t seem to be any different than security breaches at other companies that don’t work with genetic information.
“I would rather give someone my DNA than my social security number, my search history, or my credit card,” she said.
MyHeritage said it will hire an independent cybersecurity firm to help probe the breach and provide recommendations about how to prevent security lapses going forward. The company said it’s also speeding up its work to roll out two-factor authentication for users. In the meantime, MyHeritage said all users should change their passwords.