MyHeritage DNA Suffers Security Breach, Only Email Addresses Compromised

June 5, 2018

By Bio-IT World Staff

June 5, 2018 MyHeritage, an Israeli online genealogy platform company, announced yesterday evening that the email addresses and hashed passwords of 92 million MyHeritage users were found on a private server not linked to the company. The security breach includes users who signed up for the service on or before October 26, 2017.

Hashed passwords are not actual account passwords, and can’t be used to access an account. The company reported that no other data related to MyHeritage were found on the private server. “Since Oct 26, 2017 (the date of the breach) and the present we have not seen any activity indicating that any MyHeritage accounts had been compromised,” the company wrote in a statement.

When Ellen Wright Clayton, Craig-Weaver Professor of Pediatrics and Professor of Law at Vanderbilt University, spoke during the HudsonAlpha Genomic Medicine Conference, she highlighted the worries (or lack of) concerning the security of DNA.

“How much should people really be worried about their genetic information?” she asked. “I think that most of us have realized that if we want to be worried about something we ought to be worried about what’s available on the internet... The fact of the matter is, of everything there is about me, my EMR, Facebook, the internet, the thing I’m least worried about is my DNA.”

Laura Hercher, Director of Research and Human Genetics at Sarah Lawrence College, echoed statements in a similar vein when speaking with Megan Thielking at STAT about the security breach.

“I would rather give someone my DNA than my social security number, my search history, or my credit card,” Hercher told STAT. She went on to say that the security breach at MyHeritage is no different than a security breach involving a company that does not handle genetic information.

Representatives of MyHeritage made sure to point out in the statement that no other relevant information (such as credit card numbers) was compromised. “We believe the intrusion is limited to the user email addresses,” the company wrote. “We have no reason to believe that any other MyHeritage systems were compromised.”

MyHeritage DNA was launched in November 2016, offering DNA home-testing kits for determining users' ethnic origins and discovering new relatives. The service is offered in more than 190 countries worldwide, in 42 languages.

Yaniv Erlich, the company’s Chief Science Officer, has worked in cyber-security, and earned the nickname the “genome hacker”. At the Bio-IT World Conference & Expo in 2014, Erlich demonstrated how with a bit of genetic data he was able to identify someone’s name, address, and even ex-wives (in that case, J. Craig Venter).