Genealogy and DNA testing company MyHeritage Ltd. revealed Monday that it had experienced a data breach involving the theft of usernames and hashed passwords of more than 90 million customers.

The breach relates to 92 million users who had signed up to MyHeritage up to and including Oct. 26, 2017. The company found out about the breach only after being informed of it by an unnamed security researcher.

The how or why is not yet known, but MyHeritage committed to a full investigation, though the data only includes usernames and hashed passwords. The form of hashing — encryption — is not specified by the company, but it said it was a “one-way hash of each password, in which the hash key differs for each customer,” meaning that “anyone gaining access to the hashed passwords does not have the actual passwords.”

DNA records and credit card data were not included in the stolen customer records.

Rick Moy, chief marketing officer at Acalvio Technologies Inc., told SiliconANGLE that though it appears that good cryptographic practices were in place, “the organization fell short in detecting the intrusion and data breach, as evidenced by the seven-month delay, and the fact they were notified by a third party. This is where detection technologies, such as EDR [Endpoint Detection and Response], deception and NTA [Network Traffic Analysis], can be helpful. By reacting to a breach quicker, defenders can minimize the time attackers have to exploit whatever knowledge they’ve gained.”

Mukul Kumar, chief information security officer and vice president of Cyber Practice at Cavirin Systems Inc., noted that while critical information was not compromised, the data breach is “yet another example of how breaches across multiple web properties can be used to build a more complete profile of an individual.”

Kumar also questions MyHeritage’s non-disclosure of how the breach occurred. “Where was this data obtained?” he asked. “Does MyHeritage leverage the public cloud? If so, were they following best practices to ensure their cloud security posture, or does this breach follow so many others were cloud storage resources were left unsecured and unencrypted?”

Absolute Software Corp. Global Security Strategist Richard Henderson fairly raised the point that even if the passwords were encrypted, the theft of the usernames still presents risks. “Even if, and it appears that they did, MyHeritage was appropriately salting hashed passwords to limit reversing, we need to realize that for a very large number of users, that doesn’t matter. We know password re-use continues to be a rampant issue with users, and there are plenty of other cracked or stored-in-the-clear password dumps out there tied to millions of email addresses — some of which will undoubtedly lead to a successful login on MyHeritage.”

He added that “if I were part of a company storing some of the most sensitive and personal information that exists, I’m not sure I would be able to justify not providing customers with MFA/2FA as a default option, with the option to disable. Even an SMS-based 2FA system, while not perfect, would be better than having nothing at all.”

Jackson Shaw, vice president of product management at One Identity LLC, said it’s encouraging that MyHeritage is expediting the rollout of multifactor authentication to its customers. Still, he said, “while it’s wonderful that businesses and organizations are planning to implement this most basic of security measures, it is, at the same time, incumbent on consumers to demand this type of security measure. It’s 2018 and if your bank, or family history repository, does not offer multifactor authentication, change vendors. Or at least inundate the support infrastructure with requests.”

Photo: MyHeritage