Change that password!
Ninety two million genealogists got another wake-up call yesterday about computer security with a big dollop of bad news eased by a bit of not so bad news.
That’s how many of us — The Legal Genealogist included — were among the subscribers whose names, emails and hashed passwords (more on what that means in a second) were found to have been hacked from the MyHeritage computers.
The announcement of the breach came from MyHeritage on its blog,1 and it has posted more information since then.2
Bottom line: a security researcher contacted MyHeritage and told the company he’d found a file named myheritage containing email addresses and hashed passwords, on a private server outside of MyHeritage. The company’s review showed it really was from MyHeritage and included all the email addresses of users who signed up to MyHeritage up to October 26, 2017, and their hashed passwords.
That’s the bad news.
The not so bad news is that the passwords in the file were hashed. This is a form of data encryption “designed to act as a ‘one-way function’: A mathematical operation that’s easy to perform, but very difficult to reverse. Like other forms of encryption, it turns readable data into a scrambled cipher. But instead of allowing someone to decrypt that data with a specific key, as typical encryption functions do, hashes aren’t designed to be decrypted.”3
So far, there’s no indication that the hashing has been cracked at all, no indication that anything other than names and email addresses were in plain text, no financial or other data associated with the accounts included in the hacked data:
We believe the intrusion is limited to the user email addresses. We have no reason to believe that any other MyHeritage systems were compromised. As an example, credit card information is not stored on MyHeritage to begin with, but only on trusted third-party billing providers utilized by MyHeritage. Other types of sensitive data such as family trees and DNA data are stored by MyHeritage on segregated systems, separate from those that store the email addresses, and they include added layers of security. We have no reason to believe those systems have been compromised.4
So… what does that mean for us today?
It means we need to change our MyHeritage passwords. In fact, MyHeritage is expiring everybody’s password, meaning if you don’t change it — even if you signed up after October 2017 and aren’t affected by this — one day very soon the system will make you change it when you try to log in.
You can read more about this on the MyHeritage Blog, with the initial report here and the update with more information here.
And what else does this mean for us today?
We need to be conscious of security risks all the time online.
So… if you’re still using the same password on every site, stop it.
If you’re still using your mother’s maiden name as your password, stop it.
If you’re still using a short, easy-to-remember combination like your first name and the last four digits of your Social Security number, stop it.
Passwords need to be unique, strong (that means a combination of upper and lower case letters, numbers and characters like the exclamation point or asterisk) and frequently changed.
Got that?
Now go change your MyHeritage password.
SOURCES
- “MyHeritage Statement About a Cybersecurity Incident,” MyHeritage Blog, posted 4 June 2018 (https://blog.myheritage.com/ : accessed 6 June 2018). ↩
- Ibid., “Cybersecurity Incident: June 5-6 Update,” posted 6 June 2018. ↩
- Andy Greenberg, “Hacker Lexicon: What Is Password Hashing?,” Wired, posted 8 June 2016 (https://www.wired.com/ : accessed 6 June 2018). ↩
- “Cybersecurity Incident: June 5-6 Update,” MyHeritage Blog, posted 6 June 2018. ↩
re Complex passwords and changing them frequently, I use RoboForm to manage passwords for sites and it generates crazy passwords for you .. no need to remember them or write them down. it syncs to phone, computers, tablets, etc. (not an affiliate, and I don’t earn remuneration from endorsement).
Use an app like Keepass to keep track of your passwords. Its available for different operating systems (computers and phones). It has a lot of features including generating random strong passwords. There is no need to use one password on every website. (I am not associated with Keepass; I am simply a happy user)
The government gets hacked everyday. The CIA, Social Security and the IRS have been hacked. They have the greatest firewalls known to man. There is no safe place to hide. There is no unbreakable password. So, the little guy might say “why bother”. Because the chain of password breakers and system hackers are just like us, they run from the Russian and Chinese governments down to the curious kid discovering the wonderful world of power at his/her fingertips. Great fun! But misery for the receiver. So do what you can. Chances are you have nothing that really interests that kid on your computer and you are not a spy, so chances are, the foreign governments will just pass you by. Be Happy, don’t worry!
Trust… but verify! (smile)
I don’t recall seeing news items that mentioned names as part of the breach, just emails and hashed passwords.