The breach was first brought to the company’s attention by a security researcher, who discovered a file called “myheritage” on a private server, according to the statement. “Our Information Security Team received the file from the security researcher, reviewed it, and confirmed that its contents originated from MyHeritage and included all the email addresses of users who signed up to MyHeritage up to October 26, 2017, and their hashed passwords.”
The statement notes that there is “no reason to believe” that other information—such as credit card numbers (which are not stored by MyHeritage) or DNA data (which are stored on separate MyHeritage systems)—has been affected. Other genealogy platforms such as 23andMe take a similar approach to distributing information, keeping email and password information separate from genetic data.
Laura Hercher, who teaches about genetics and ethics at Sarah Lawrence College, tells STAT News that, while it’s unclear how this information or even DNA data themselves might be used, “when you put DNA and privacy together in a sentence, understandably and correctly, it makes people nervous.” Although, she adds, “I would rather give someone my DNA than my social security number, my search history, or my credit card.”
Harvard Medical School’s Robert Green, speaking to Science News before word of the breach at MyHeritage had spread, notes that there’s an inherent risk with storing personal information online. Following high-profile security breaches at large companies including Equifax and Facebook, “there’s an ongoing, slow-motion realization that there are so many avenues where our privacy can be compromised,” he says.
MyHeritage recommends in the statement that users change their passwords for “maximum safety,” and notes that the company is undertaking its own investigation of the incident.