View all newsletters
Receive our newsletter - data, insights and analysis delivered to you
  1. Technology
  2. Cybersecurity
June 6, 2018updated 14 Jul 2022 9:47am

MyHeritage Hack: “Future Hackers Could Amend Stolen DNA”

No DNA data lost - but a future hack could have severe repercussions, security researchers warn

By CBR Staff Writer

No DNA data has been lost as a result of a hack at genealogy and DNA testing website MyHeritage that resulted in the leak of 92,283,889 email addresses and hashed user passwords the company has claimed.

“Sensitive data such as family trees and DNA data are stored by MyHeritage on segregated systems, separate from those that store the email addresses, and they include added layers of security. We have no reason to believe those systems have been compromised,” the Israel-based company said.

The announcement came two days after the company was directed by a security researcher to a file named myheritage containing email addresses and hashed passwords, on a private server outside of MyHeritage. The hack appears to have happened on October 26, 2017.

MyHeritage said the password hash key differs for each customer; it is likely using a salt as a result; a unique value added to the password before hashing to make the hash more robust.

Gemalto CTO of Data Protection Jason Hart said: “This reinforces again that being breached is not a question of ‘if’ but ‘when’. Perimeter defences are just what they are, first lines of defence. When those fail, the only way data can be protected is to encrypt it. It is especially important that sensitive personal data is always be encrypted. That way, if the data is stolen it is useless to the thieves.”

He added: “MyHeritage noted that it plans to add additional protective measures in the future. While it appears that MyHeritage hashed its passwords, this is a weak form of protection. Given today’s security climate, all online companies should have multi-factor authentication activated by default for all online accounts as well as using encryption and key management to secure sensitive data.”

“A Serious Wake Up Call”

Rashmi Knowles, EMEA Field CTO at RSA Security, told Computer Business Review: “While only email addresses were compromised, this should serve as a serious wake up call for all handlers of genetic data. If your password is stolen, it can be updated, but this isn’t the case with genetic information – you only have one genetic identity, so if this is stolen there are potentially much more serious consequences.”

Content from our partners
How businesses can safeguard themselves on the cyber frontline
How hackers’ tactics are evolving in an increasingly complex landscape
Green for go: Transforming trade in the UK

He added: “But many people don’t think about this when applying for such services. No matter how secure the organisation, no one is completely risk-free, and if breached, genetic data could be sold on hackers without your consent, or the characteristic data it contains could be used to hijack your online accounts.”

“There’s even a possibility that hackers can amend or even delete genetic data in some cases, which could have serious implications for the victim and the level of healthcare or even health insurance they could access in the future.”

The breach comes weeks after police used a DNA match on a publicly available genealogy website to catch the Golden State killer, a notorious serial killer.

Websites in our network
Select and enter your corporate email address Tech Monitor's research, insight and analysis examines the frontiers of digital transformation to help tech leaders navigate the future. Our Changelog newsletter delivers our best work to your inbox every week.
  • CIO
  • CTO
  • CISO
  • CSO
  • CFO
  • CDO
  • CEO
  • Architect Founder
  • MD
  • Director
  • Manager
  • Other
Visit our privacy policy for more information about our services, how New Statesman Media Group may use, process and share your personal data, including information on your rights in respect of your personal data and how you can unsubscribe from future marketing communications. Our services are intended for corporate subscribers and you warrant that the email address submitted is your corporate email address.
THANK YOU