MyHeritage Password Compromise
If you have not changed the password on your MyHeritage web account since June 2018 or earlier, do it now. Do not finish reading this post, go log in to MyHeritage change your password.
When you log in to MyHeritage for the first time after the breach they will force you to change your password. Make sure to choose a password that is different from any other password that you use elsewhere. Do not reuse the password that had been there, or some permutation of it. If you used that password on other sites, you should change the password on all those sites.
In June of 2018, MyHeritage discovered that their servers had been breached in October 2017. The email addresses and hashed passwords of about 92 million MyHeritage usershad been obtained by computer hackers. MyHeritage described the breach in three blog posts:
- MyHeritage Statement About a Cybersecurity Incident
- Cybersecurity Incident: June 5-6 Update
- Cybersecurity Incident: June 10 Update
MyHeritage also implemented 2-Factor Authentication (2FA) on the day that they revealed the breach. It is very likely that they were working on 2FA already, but it is a little sad that it takes having a massive breach of password data to make it available to their customers. They (and the other three of the “Big Four” DNA testing services) should be proactively implementing good security controls, not bolting them on as an afterthought after they learn about 92 million password hashes and emails have been stolen.
Their description of the risks from this incident downplays the loss of email addresses and password hashes. Any moderately-skilled hacker can extract weak passwords from the password hash with a password cracking tool. 1
MyHeritage Supports Uploading GSA Chip Kits
One problem with testing your autosomal DNA (atDNA) on any one of the “Big Four” testing services 2 is that they each maintain a separate database to match against.
When you select an atDNA testing service, your DNA will be compared to that of everyone else who tested with that service. If you test on 23andMe and your undiscovered cousins test on Ancestry DNA, you will not appear in each others’ match lists because those databases do not communicate with each other.
You can download your raw DNA representation … your DNA “kit,” and upload it to GEDMatch, which will match it against everyone else who has upladed to GEDMatch. It would be great if everyone who tested uploaded their kits to GEDMatch. There is something of a learning curve to using GEDMatch, and most of the testing services include documentation that can frighten the average person away from downloading their kit.
MyHeritage allows anyone who has tested on the other services to upload their kit and compare to their database for matches. Until now, 23andMe kits that were processed after August 2017 could not be processed by anyone other than 23andMe. MyHeritage now supports matching kits that are based on the GSA chip. See more details on their site:
- My SPOIL pages talk about how to protect yourself from this kind of attack.
- There are new services spinning up all the time. The four major players in this field, currently listed on the ISOGG atDNA Testing Comparison Chart are AncestryDNA, MyHeritage, 23andMe and FamilyTree DNA.