Based on the creation dates of some accounts, the breach appears to have taken place on October 26, 2017.
The breach is the largest since last year's Equifax leak of 147.9 million pieces of private data ranging from Social Security numbers, birth dates, addresses and some driver's license numbers.
It includes the email addresses and hashed passwords of the more than 92 million users who signed up for the platform up to October 26, 2017, which was the date of the breach, according to a statement from MyHeritage. MyHeritage says it uses third-party payment processors for financial operations, meaning payment data was never stored on its systems, while DNA test results were saved on separate servers from the one that managed user accounts.
The company announced the breach on its blog, explaining that an unnamed security researcher contacted them to warn them of a file he had encountered "on a private server", tellingly entitled "myheritage". "This means that anyone gaining access to the hashed passwords does not have the actual passwords".More news: Kate Spade's sister says designer's death 'not unexpected by me'
The email addresses are valuable though, and such a huge list would be a handy starting point for criminals to launch a phishing campaign.
Israel-headquartered MyHeritage enables users to create family trees by searching through historical documents such as census, immigration, marriage and burial records in 42 languages. There has been no evidence that the data in the file was ever used by the perpetrators.
We believe the intrusion is limited to the user email addresses. It's also working with an independent cybersecurity firm, which will conduct reviews to determine the scope of the breach and offer suggestions on preventing something like this from happening again. MyHeritage does not store user passwords, but rather a one-way hash of each password, in which the hash key differs for each customer.
Two-factor authentication was already in development, but the team is "expediting" its rollout, so if you're a user, be sure to set that up as soon as it's available.
Deutsch added in a follow-up post published today that "from the moment this became known to us we have been working literally around the clock, taking additional steps to help protect our users".