MyHeritage, an Israeli-based genealogy and DNA testing company, disclosed that a security researcher found a file containing email addresses and hashed passwords of more than 92 million of its users.
In a statement on Monday, Omer Deutsch, MyHeritage’s chief information security officer, said, “there has not been evidence that the data in the file was ever used by the perpetrators.” However, it’s hard to measure the impact of a breach, especially considering this took place in October 2017.
Based on the 2017 Cost of a Data Breach, a Ponemon study, it takes an average of 191 days for a company to identify a data breach, so it’s not surprising that MyHeritage was not able to identify this breach right away.
Although the company encrypts its passwords with a one-way hash, with a different key required to access each customer’s data, they have urged all their users to change their passwords right away to reduce the risk.
Additionally, the company believes the DNA data should not be at risk as they store the DNA on “segregated systems and are separate from those that store email addresses, and they include added layers of security.”
Unfortunately, data breaches are becoming a fact of life. Those affected need to automatically ask themselves: “In how many other accounts do I use the same password?” And change those passwords immediately. Bad actors can use the stolen data for a myriad of things, one of them is accessing the other accounts you share a password with.
Bad actors are constantly looking for the weakest link in a system to steal valuable data, but some companies are succeeding at making this stolen data valueless and thus securing their user’s accounts. Businesses implementing multi-layered solutions that don’t rely on passwords have the upper hand.
Technologies such as behavioral analytics and passive biometrics are preventing account takeover attempts even if the legitimate credentials are used. They do this by analyzing not just the password but the user’s behavior, past behavior, type of device, typing speed, and hundreds of other data points that make stolen data insufficient to access an account.
MyHeritage is another example of just how vital it is, as a company, to add these security layers to authenticate your users.
For users, this should remind you to never reuse passwords and always activate two-factor authentication when available.
Related to this post In Fraud We Trust – Say Goodbye to The eBay for Cybercriminals