Following the news that ancestry site MyHeritage has been breached, potentially exposing the data, and in some cases the DNA details, of 92 million users, IT security experts commented below.
David Emm, Principal Security Researcher at Kaspersky Lab:
Yesterday the news broke that ancestry site MyHeritage had been breached, potentially leaving the details of 92 million global customers vulnerable to attack. But what was refreshing was the response from the company’s CISO. Within hours of the breach being discovered, he had taken to the company’s website to explain what they had discovered, what steps they were taking to rectify the issue, and how they protected people’s data in general. Often when a breach happens, one of the biggest failings is that of honesty and disclosure from the victim, which ultimately leaves consumers even more vulnerable as they are unaware they need to take action.
Of course, the data is still at risk, and it’s especially concerning when you consider the type of data (including DNA) this site holds. But, by acting swiftly and definitively, MyHeritage has allowed its customers to regain some control of their personal data by changing passwords, checking for suspicious activity on accounts, and exercising caution; all actions, that, if had been kept secret whilst the company investigated or gave itself time to ‘stage manage’ its public response, would have left them even more at risk from fraudsters.
It’s good to see that, going forward, MyHeritage is considering the implementation of two factor authentication for added security in this kind of scenario. These days we talk about not ‘if’ a company is breached but ‘when’, so protection of data in that event is the key here.
The advice to consumers remains the same as it would in any breach situation:
- Change your MyHeritage account password and any associated passwords using a complex password
- Monitor accounts for any suspicious activity and do not click on any links in emails purporting to be from the firm – instead go to your account online to check for messages
Ryan Wilk, VP of Customer Success at NuData Security:
Anthony James, CMO at CipherCloud:
Hashed passwords are absolutely not safe if stolen – these hashed passwords are still highly vulnerable to a dictionary attack, where the attacker runs a hash function against the top 100,000 most popular passwords and computes the hash function against all of them. Then all they need do is compare these calculated values to the list stolen from MyHeritage. So, NO, a smart cyberattacker could be working diligently, even now, to map the hashed values to real passwords and break the accounts.
The moral of the story? Protecting customer data is more important than ever. New best practices such as the use of Zero Trust end-to-end encryption and 2-factor authentication are required for data and threat protection as well as the barrage of new compliance regulations.”
Sandor Palfy, CTO, Identity & Access Management at LogMeIn: