Tuesday, June 5, 2018

Security Breach at MyHeritage

MyHeritage is alerting people in this blog post, to a security breach that occurred on their servers. They've tracked the date of the breach to October 26, 2017. If you opened an account since that date, there should not be a problem. If you opened an account on MyHeritage prior to this date, your email address and a hash of your password was found posted on a site not controlled by the company.

What does this mean? It means that someone got into MyHeritage's systems. How far they got is not clear. What they know is that the perpetrator got a hold of email addresses and hashes of passwords. A hash is a one-way encryption that is used to verify someone's credentials when they log onto a system. It is, theoretically, not possible to reverse this hash so the hacker would not have access to your plain text password.



As an Information Security Engineer, I can tell you that while it may not be currently possible to reverse this hash, it may be possible in the future. I recommend that if you had an account with MyHeritage.com prior to October 26, 2017, you should change your password. In addition, if you use the same email address and password at any other site, you should change that password also.

As a reminder, NEVER use the same username/password combination at multiple sites. Doing so leaves open the possibility that if a malicious actor got a hold of this combination at one site, they could use this same combination at other sites. So, if they were somehow able to reverse the hash of your MyHeritage account, they could use your email address and password to log in to any other site that you used the same combination on.

This won't be the last time you hear about a genealogical site being hacked. I guarantee it will happen to another company at a later date. In fact, it's possible another company has already been hacked and they just don't realize it yet. Use secure password methodology. Don't use the same password at multiple sites and use complex passwords that are not easy to guess. One popular technique is to come up with a simple sentence and use abbreviations of that sentence as your password. For example, "My great-grandfather's name is Aloys Panther. He was born in 1837" could result in a password "MggniAP.Hwbi1837." This is an extremely secure password, yet it is easy for me to remember. Of course, when it comes time to change your password, don't use the same technique to come up with a new password.

--Matt Miller
CISSP

No comments:

Post a Comment