Following the news that ancestry site MyHeritage has been breached, potentially exposing the data, and in some cases the DNA details, of 92 million users, IT security experts commented below.
David Emm, Principal Security Researcher at Kaspersky Lab:
News of a data breach is a daily reality today. But it’s rarer to hear news of a breach where the company in question is on the front foot and has proactively shared information with the public, which will ultimately lead to the collateral damage being reduced.
Yesterday the news broke that ancestry site MyHeritage had been breached, potentially leaving the details of 92 million global customers vulnerable to attack. But what was refreshing was the response from the company’s CISO. Within hours of the breach being discovered, he had taken to the company’s website to explain what they had discovered, what steps they were taking to rectify the issue, and how they protected people’s data in general. Often when a breach happens, one of the biggest failings is that of honesty and disclosure from the victim, which ultimately leaves consumers even more vulnerable as they are unaware they need to take action.
Of course, the data is still at risk, and it’s especially concerning when you consider the type of data (including DNA) this site holds. But, by acting swiftly and definitively, MyHeritage has allowed its customers to regain some control of their personal data by changing passwords, checking for suspicious activity on accounts, and exercising caution; all actions, that, if had been kept secret whilst the company investigated or gave itself time to ‘stage manage’ its public response, would have left them even more at risk from fraudsters.
It’s good to see that, going forward, MyHeritage is considering the implementation of two factor authentication for added security in this kind of scenario. These days we talk about not ‘if’ a company is breached but ‘when’, so protection of data in that event is the key here.
The advice to consumers remains the same as it would in any breach situation:
- Change your MyHeritage account password and any associated passwords using a complex password
- Monitor accounts for any suspicious activity and do not click on any links in emails purporting to be from the firm – instead go to your account online to check for messages
Ryan Wilk, VP of Customer Success at NuData Security:
“Even though the breach occurred last year, consumers should immediately change their passwords to avoid any potential damage. Additionally, those users who have reused their MyHeritage password on other accounts should also change those passwords to avoid exposing more accounts. A password manager is helpful in tracking and creating random passwords that are hard for a script to crack. Passwords are a key target for bad actors as they use them to access accounts and the sensitive data stored in them. However, companies who are implementing multi-layered solutions that don’t rely on passwords, such as behavioral biometrics and passive biometrics, are preventing this threat and protecting their customers even when their passwords have been exposed.”
Anthony James, CMO at CipherCloud:
“The bad news is, for sure, that 92 million MyHeritage user accounts were compromised. The attackers obtained emails and hashed passwords. Don’t believe for a second that a hashed password is safe. When a user normally logs in, the password submitted is run through the hash function and then the result is compared with the hashed password stored for that user.
Hashed passwords are absolutely not safe if stolen – these hashed passwords are still highly vulnerable to a dictionary attack, where the attacker runs a hash function against the top 100,000 most popular passwords and computes the hash function against all of them. Then all they need do is compare these calculated values to the list stolen from MyHeritage. So, NO, a smart cyberattacker could be working diligently, even now, to map the hashed values to real passwords and break the accounts.
The moral of the story? Protecting customer data is more important than ever. New best practices such as the use of Zero Trust end-to-end encryption and 2-factor authentication are required for data and threat protection as well as the barrage of new compliance regulations.”
Sandor Palfy, CTO, Identity & Access Management at LogMeIn:
“While it’s unclear how MyHeritage was breached, and the company had encryption in place to protect user information, this news is still a good reminder that almost all online accounts can hold information hackers find valuable. People will often use the same or similar passwords for work or personal accounts, or neglect to change them even when a breach is reported. That opens the door for hackers to exploit even more information. You never know when your account or personal information might be as risk, which is why we always recommend you take your online security seriously. Passwords that are lost, shared, reused or weak carry tremendous risk as cyber threats grow more sophisticated. Simple steps such as creating secure passwords, never reusing them and turning on two-factor authentication with your accounts whenever possible; a feature that MyHeritage says it plans to deploy in the future, will prevent data loss in the event of a 3rd party breach.”
The opinions expressed in this post belongs to the individual contributors and do not necessarily reflect the views of Information Security Buzz.