A DNA and genealogy company, MyHeritage, pronounced that the accessing credentials of 92 million users had been robbed. It merely exposed the violation when a security researcher notified the company he had identified a file entitled myheritage kept outside of M.
The file contains, writes MyHeritage CISO Omer Deutsch in a statement, “the email addresses and hashed passwords of 92,283,889 users who had signed up to MyHeritage up to and including Oct 26, 2017 which is the date of the breach.” He stresses that the passwords are stored as “a one-way hash of each password, in which the hash key differs for each customer” (possibly implying that each password is hashed with a unique salt).
Deutsch considers that merely the credentials were robbed. “We have no reason to believe that any other MyHeritage systems were compromised.” Furthermore, he adds, “we have not seen any activity indicating that any MyHeritage accounts had been compromised.” Payment data, user DNA data and family trees have not been affected. MyHeritage departed public with admirable speed – on the similar day it erudite of the violation. But, some features of the declaration are regarding. For instant, it straightaway set up an occurrence response team to inspect the event. Best exercise would have likely a team previously recognized in expectation of a violation.
The company is accelerating “work on the upcoming two-factor authentication feature that we will make available to all MyHeritage users soon.” Best practice would have had MFA in place long ago. Additionally, it will mention somewhat than need users to engage the MFA choice. It also mentions users should alter their passwords, when it should possibly force a password rearrange on all users.
“It appears that MyHeritage hasn’t taken the steps to automatically require users to change passwords, just that they recommend they do,” comments Absolute Software’s Global Security Strategist Richard Henderson. “That should be an immediate action for any breach of this type. We still don’t know (and neither do they) how this information was stolen, or the motives for doing so… and the statement by MyHeritage that they believe no other data was taken, especially unique DNA information and genealogy information, is probably a little premature, until they can determine exactly what happened late last October.”
The encouraging tone of the MyHeritage announcement is also confronted by CMO of CipherCloud, Anthony James. “Don’t believe for a second that a hashed password is safe,” he says. “Hashed passwords are absolutely not safe if stolen – these hashed passwords are still highly vulnerable to a dictionary attack, where the attacker runs a hash function against the top 100,000 most popular passwords and computes the hash function against all of them. Then all they need do is compare these calculated values to the list stolen from MyHeritage. So, NO, a smart cyber-attacker could be working diligently, even now, to map the hashed values to real passwords and break the accounts.”
The unidentified excellence of the confusing purpose could create the credential crashing more tough, but not essentially unbearable. Likewise, it may not be compulsory if the user has had the similar password with the equivalent email address robbed in a diverse violation with a frail hash performance. It has communicated MyHeritage requesting for additional facts on the hashing procedure, and will update this report with any response. CMO at Acalvio, Rick Moy is anxious about MyHeritage that it did not itself identify the interruption, “as demonstrated by the seven-month delay, and the fact they were alerted by a third party.” The insinuation is that the company does not have satisfactory discovery competences – and if it flopped to notice this, there may be other occurrences with the other arrangements that have also gone unnoticed.
This possibility also concerns Rashmi Knowles, EMEA Field CTO at RSA Security. “If your password is stolen, it can be updated, but this isn’t the case with genetic information,” she warns. “You only have one genetic identity, so if this is stolen there are potentially much more serious consequences. But many people don’t think about this when applying for such services. No matter how secure the organization, no one is completely risk-free, and if breached, genetic data could be sold on to other hackers without your consent, or the characteristic data it contains could be used to hijack your online accounts. There’s even a possibility that hackers can amend or even delete genetic data in some cases, which could have serious implications for the victim and the level of healthcare or even health insurance they could access in the future.”
There is possibly an extra side-story to this occurrence. MyHeritage reports, “We are taking steps to inform relevant authorities including as per GDPR.” SecurityWeek has asked MyHeritage to expand on this. Who are the relevant GDPR authorities for MyHeritage?
The company lists have abundant contact phone numbers in several European countries, containing the facility of “24/7 support” from the Irish phone. This proposes that the Irish controller may be the pertinent GDPR expert for MyHeritage. There is slight uncertainty that MyHeritage is accountable under GDPR, and it appears that it is accessible by the GDPR experts via its European offices. The merely question here is whether Europe will choose to create a high-profile instant of MyHeritage prompt into the GDPR age.
However what about the investigator? Is he or she also accountable under GDPR for illegal stowage of and gain access to European PII? It is an arguable fact. The UK’s Information Commissioner’s Office has expressed SecurityWeek that researchers are excused from GDPR beneath the principle of authentic notice.
The senior partner, David Flint, at MacRoberts LLP, has not assumed the belief of. Requested if researchers should be worried about GDPR, he told the news, “The short answer is YES! Under the GDPR/DPA 2018 the researcher couldn’t be a Processor (as he is not acting on instructions of a Controller) therefore he must be a Controller.”
So, being a regulator, “If a researcher comes across that data he should advise all the Data Subjects that he has the data and what he intends to do with it, sending them a Privacy Notice. GDPR deals with an exemption for historical research which doesn’t seem relevant here.”
It is stimulating times as MyHeritage users will require to delay to check if their DNA has or may be cooperated, researchers will require to wait to check if GDPR may be imposed in contradiction of them; and businesses across the world, containing MyHeritage, will be coming up to check how convincingly GDPR will be forced by the European Union.