
MyHeritage Says 92M User Accounts Have Been Compromised - ghgr
https://blog.myheritage.com/2018/06/myheritage-statement-about-a-cybersecurity-incident/
======
cthulhujr
It will be an interesting day when millions of people have their detailed
genetic profiles compromised. I'm not entirely sure how much useful data is
gathered by these DNA test sites today, but I can easily imagine a future
where data from human samples is a prime target for hackers. Perhaps more
valuable than login credentials.

~~~
1_player
Forgot your password? Submit your DNA fingerprint to prove your identity.

Definitely better and definitely scarier than the current "security question"
technique.

~~~
alasdair_
>Definitely better

You can change a security question. You can't change your DNA.

Biometrics are usernames, not passwords.

~~~
blitmap
I thought you could "replace" your DNA with a bone marrow transplant? I am
most definitely not a scientist.

~~~
jazoom
You could replace the DNA of your bone marrow that way, and maybe the DNA of
any blood cells that happen to be made by that bone marrow, but most of your
body will still have the old DNA.

------
ilamont
I'm surprised that they have so many accounts, but they were good at building
partnerships. For instance, a few years ago when 23andme decided they didn't
want to deal with users' family trees any longer (a popular feature,
considering most people were interested in genetic genealogy data derived from
23andme tests) they pushed people to join MyHeritage
([http://blog.kittycooper.com/2015/01/myheritage-is-now-
doing-...](http://blog.kittycooper.com/2015/01/myheritage-is-now-doing-the-
family-trees-for-23andme/)).

------
WorkLifeBalance
From the "Steps we've taken" it sounds like they haven't forced a password
reset on compromised accounts. I can understand from a business perspective
that would be a harsh way for affect people to find out they were in the
breach but it seems reckless to keep compromised hashes in the system.

~~~
towb
They have, got an email from them a week ago or so saying emails and encrypted
passwords had leaked and that all passwords are annulled.

------
privateSFacct
MyHeritage has a totally scammy auto-renewal system.

Can't say I'm surprised given their crappy anti-user auto-renewal system that
they dumped everyone's data. Ugh...

Google "my heritage auto renewal" for the background.

------
jonplackett
Wonder how many bank accounts are being hacked right now with mother's maiden
name as the 'secret' account reset question

~~~
hundchenkatze
I assume no more than usual, as genealogical and DNA information were not
leaked.

------
solatic
TL:DR - email addresses and password hashes leaked for users registered until
2017-10-26, affecting 92m accounts.

No password reset, no mention of usage of salts, no mention of hash algorithm
used, (edit: originally said no 2FA, but 2FA was added, thanks bbarn), no
auditing to confirm that other systems were not leaked ("we have no reason to
believe those systems have been compromised"), internal investigation has been
fruitless so far (for two and a half weeks).

~~~
magnat
> no mention of usage of salts

They wrote "MyHeritage does not store user passwords, but rather a one-way
hash of each password, in which the hash key differs for each customer". I
believe "different hash key for each customer" means either nonce or salt.

~~~
solatic
It's ambiguous, I read it as the hashes being different for each customer out
of a mistaken assumption that no two customers have the same password. A salt
isn't really a "key" for a hash function, because it isn't going to tell you
by itself what the original unhashed value is, and neither will it by itself
give you the final hash.

~~~
KMag
But a salt is a key in the same sense as a MAC key (such as HMAC key).

------
plodman
Forgive my ignorance on the subject but why would there only be usernames and
passwords in this file? Is it customary to store other details in separate
tables and have different access rights between the 2 tables?

Or did the perpetrators just pull login details as it’s the only useful
information?

~~~
hugh4life
"Is it customary to store other details in separate tables"

It's quite common to store just what's needed for logins in it's own table.

~~~
heartbreak
> Is it customary to store other details in separate tables and have different
> access rights between the 2 tables?

There's more to that sentence. Outside of enterprise corporations, I've never
actually seen an application database user with permissions to the user
credentials table but not the rest of the tables in the database related to
that application.

~~~
ams6110
Agreed, if the data are from a database table, it's likely that all the tables
in the database were exposed. Depends on the method of intrusion, e.g. did
they get access to a database backup, access to the live database, access to
something a developer carelessly left unprotected in EC2, etc.

Also their statement "We have no reason to believe that any other MyHeritage
systems were compromised" is a fancy way of saying "we have no idea what
happened" and equivalent in my mind to "We have no reason to believe that any
other MyHeritage systems were _not_ compromised.

------
nicodjimenez
Wow, MyHeritage putting up numbers!

------
aurelien
Who care about CyberSecurity?

