Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Operational Security //

Data Leakage

6/6/2018
09:35 AM
Scott Ferguson
Scott Ferguson
News Analysis-Security Now
50%
50%

MyHeritage Data Breach of 92M Accounts Raises Many Questions

After being contacted by a security researcher, MyHeritage announced that as many as 92 million of its accounts may have been compromised. However, there are more questions that need to be asked about this data breach.

MyHeritage is the latest enterprise facing security repercussions after the company announced this week that as many as 92 million user accounts may have been exposed during a recent data breach.

In an announcement posted on June 4, the genealogy and DNA testing service site revealed that a security researcher approached its security team on Monday to alert them that customer email addresses and hashed passwords were found on a server outside the business' network.

The breach appears to have happened around Oct. 26. Overall, 92,283,889 email address might have been exposed during this time.

"Immediately upon receipt of the file, MyHeritage's Information Security Team analyzed the file and began an investigation to determine how its contents were obtained and to identify any potential exploitation of the MyHeritage system," according to the company's statement.

(Source: Wikimedia)
(Source: Wikimedia)

It does not appear that anyone actually used the compromised data, and MyHeritage has hired a third-party security firm to help investigate.

The saving grace for MyHeritage is that the company did not store the password itself and the passwords were protected using a one-way hash that creates a unique cryptographic key for each customer account.


Now entering its fifth year, the 2020 Vision Executive Summit is an exclusive meeting of global CSP executives focused on navigating the disruptive forces at work in telecom today. Join us in Lisbon on December 4-6 to meet with fellow experts as we define the future of next-gen communications and how to make it profitable.

In addition, payment information, such as credit card data, is handled by a third party and the most sensitive data -- the genealogical information that users send in to have their DNA tested -- is stored a segregated server that is removed from the systems that store the email addresses.

MyHeritage announced the breach shortly after implementation of the European Union's General Data Protection Regulation (GDPR), which went into effect on May 25. (See GDPR: SecurityNow's Need-to-Know Guide.)

However, there are serious security questions that a breach of this sizes raises.

Mukul Kumar, the CISO and vice president of Cyber Practices at security firm Cavirin, wrote in an email to Security Now that this latest breach shows not only how weak current password techniques are, but the danger of uploading data to the cloud without a better plan to protect it.

"A top priority must be to use unique passwords, but even when browsers recommend this, the reality is very different. How many of you reuse the same password across two or more sites?" Kumar asked.

"The second question is, from where was this data obtained?" Kumar added. "Does MyHeritage leverage the public cloud? If so, were they following best practices to ensure their cloud security posture, or does this breach follow so many others were cloud storage resources were left unsecured and unencrypted?"

MyHeritage is taking additional security steps, such as building in two-factor authentication for customer account, but the company also needs to dig deeper into the enterprise-level security practices.

"It appears that good cryptographic practices were in place, such as unique salts. However, the organization fell short in detecting the intrusion and data breach, as evidenced by the seven- month delay, and the fact they were notified by a third party," Rick Moy, the CMO at Acalvio, which provides advanced threat detection and defense tools, wrote in an email.

Related posts:

— Scott Ferguson is the managing editor of Light Reading and the editor of Security Now. Follow him on Twitter @sferguson_LR.

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Edge-DRsplash-10-edge-articles
I Smell a RAT! New Cybersecurity Threats for the Crypto Industry
David Trepp, Partner, IT Assurance with accounting and advisory firm BPM LLP,  7/9/2021
News
Attacks on Kaseya Servers Led to Ransomware in Less Than 2 Hours
Robert Lemos, Contributing Writer,  7/7/2021
Commentary
It's in the Game (but It Shouldn't Be)
Tal Memran, Cybersecurity Expert, CYE,  7/9/2021
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
How Data Breaches Affect the Enterprise
Data breaches continue to cause negative outcomes for companies worldwide. However, many organizations report that major impacts have declined significantly compared with a year ago, suggesting that many have gotten better at containing breach fallout. Download Dark Reading's Report "How Data Breaches Affect the Enterprise" to delve more into this timely topic.
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2021-20859
PUBLISHED: 2021-12-01
ELECOM LAN routers (WRC-1167GST2 firmware v1.25 and prior, WRC-1167GST2A firmware v1.25 and prior, WRC-1167GST2H firmware v1.25 and prior, WRC-2533GS2-B firmware v1.52 and prior, WRC-2533GS2-W firmware v1.52 and prior, WRC-1750GS firmware v1.03 and prior, WRC-1750GSV firmware v2.11 and prior, WRC-19...
CVE-2021-20860
PUBLISHED: 2021-12-01
Cross-site request forgery (CSRF) vulnerability in ELECOM LAN routers (WRC-1167GST2 firmware v1.25 and prior, WRC-1167GST2A firmware v1.25 and prior, WRC-1167GST2H firmware v1.25 and prior, WRC-2533GS2-B firmware v1.52 and prior, WRC-2533GS2-W firmware v1.52 and prior, WRC-1750GS firmware v1.03 and ...
CVE-2021-20861
PUBLISHED: 2021-12-01
Improper access control vulnerability in ELECOM LAN routers (WRC-1167GST2 firmware v1.25 and prior, WRC-1167GST2A firmware v1.25 and prior, WRC-1167GST2H firmware v1.25 and prior, WRC-2533GS2-B firmware v1.52 and prior, WRC-2533GS2-W firmware v1.52 and prior, WRC-1750GS firmware v1.03 and prior, WRC...
CVE-2021-20862
PUBLISHED: 2021-12-01
Improper access control vulnerability in ELECOM routers (WRC-1167GST2 firmware v1.25 and prior, WRC-1167GST2A firmware v1.25 and prior, WRC-1167GST2H firmware v1.25 and prior, WRC-2533GS2-B firmware v1.52 and prior, WRC-2533GS2-W firmware v1.52 and prior, WRC-1750GS firmware v1.03 and prior, WRC-175...
CVE-2021-20863
PUBLISHED: 2021-12-01
OS command injection vulnerability in ELECOM routers (WRC-1167GST2 firmware v1.25 and prior, WRC-1167GST2A firmware v1.25 and prior, WRC-1167GST2H firmware v1.25 and prior, WRC-2533GS2-B firmware v1.52 and prior, WRC-2533GS2-W firmware v1.52 and prior, WRC-1750GS firmware v1.03 and prior, WRC-1750GS...