MyHeritage customer data discovered on private server

A DNA testing service breach leaked 92 million users’ personal information after a cybersecurity incident exposed their email addresses and hashed passwords.

Israeli company MyHeritage, which tests users’ DNA to create family trees and find details of their ancestry, confirmed the data had been breached in October 2017, but said it was only made aware of the incident in June.

A security researcher, who has not been named, discovered the files on a private server outside of the company and reported it to MyHeritage’s chief information security officer.

Email addresses and hashed passwords belonging to 92,283,889 accounts were swiped, but the company said no other sensitive data had been stolen.

It added that the website stores a one-way hash of each passwords and that the hash differs for each user – meaning that even if anyone gained access to the data, they wouldn’t have the actual passwords.

According to MyHeritage, it doesn’t store credit card information because it uses third-party billing providers.

Other details, such as DNA sample data and family trees, was stored on different systems with added layers of security, the company said.

Only customers who signed up to the service before or on October 26, 2017 – the date of the breach – were affected.

MyHeritage said in a statement: “We believe the intrusion is limited to the user email addresses. We have no reason to believe that any other MyHeritage systems were compromised.

“Immediately upon learning about the incident, we set up an Information Security Incident Response Team to investigate the incident.

“We are also taking immediate steps to engage a leading, independent cybersecurity firm to conduct comprehensive forensic reviews to determine the scope of the intrusion; and to conduct an assessment and provide recommendations on steps that can be taken to help prevent such an incident from occurring in the future.”

The company has advised users to change their passwords and said it is introducing two-factor authentication as an added security feature.

Securing human code

Although in this case no customer DNA data, such as blood or saliva samples, was stolen from MyHeritage, a report last year highlighted the threat posed by a lack of security within popular open-source DNA processing programs.

The study, by researchers at the University of Washington, found that the commonly used programs didn’t employ robust security practices.

Many were “written in programming languages known to routinely contain security problems”, whereas others contained vulnerable code and other unidentified security issues.

Researchers also explored the possibility of manipulating DNA code and found that it could be possible for a malicious actor to produce synthetic code containing malware.

DNA is stored in standard nucleotides as letters.

The team found that they could reproduce a DNA strand containing malicious code, which could then compromise a machine used for sequencing or analyzing.

A report read: “To assess whether this is theoretically possible, we included a known security vulnerability in a DNA processing program that is similar to what we found in our earlier security analysis.

“We then designed and created a synthetic DNA strand that contained malicious computer code encoded in the bases of the DNA strand.

“When this physical strand was sequenced and processed by the vulnerable program it gave remote control of the computer doing the processing.

“That is, we were able to remotely exploit and gain full control over a computer using adversarial synthetic DNA.”

But the team did also note that this attack is – for the moment – unlikely.

There is no present threat posed to DNA data, the report stated, but with the advance in both technology and accessibility of these machines, a real attack could take place in the future.