Change that password!
Ninety two million genealogists got another wake-up call yesterday about computer security with a big dollop of bad news eased by a bit of not so bad news.
That’s how many of us — The Legal Genealogist included — were among the subscribers whose names, emails and hashed passwords (more on what that means in a second) were found to have been hacked from the MyHeritage computers.
Bottom line: a security researcher contacted MyHeritage and told the company he’d found a file named myheritage containing email addresses and hashed passwords, on a private server outside of MyHeritage. The company’s review showed it really was from MyHeritage and included all the email addresses of users who signed up to MyHeritage up to October 26, 2017, and their hashed passwords.
That’s the bad news.
The not so bad news is that the passwords in the file were hashed. This is a form of data encryption “designed to act as a ‘one-way function’: A mathematical operation that’s easy to perform, but very difficult to reverse. Like other forms of encryption, it turns readable data into a scrambled cipher. But instead of allowing someone to decrypt that data with a specific key, as typical encryption functions do, hashes aren’t designed to be decrypted.”3
So far, there’s no indication that the hashing has been cracked at all, no indication that anything other than names and email addresses were in plain text, no financial or other data associated with the accounts included in the hacked data:
We believe the intrusion is limited to the user email addresses. We have no reason to believe that any other MyHeritage systems were compromised. As an example, credit card information is not stored on MyHeritage to begin with, but only on trusted third-party billing providers utilized by MyHeritage. Other types of sensitive data such as family trees and DNA data are stored by MyHeritage on segregated systems, separate from those that store the email addresses, and they include added layers of security. We have no reason to believe those systems have been compromised.4
So… what does that mean for us today?
It means we need to change our MyHeritage passwords. In fact, MyHeritage is expiring everybody’s password, meaning if you don’t change it — even if you signed up after October 2017 and aren’t affected by this — one day very soon the system will make you change it when you try to log in.
And what else does this mean for us today?
We need to be conscious of security risks all the time online.
So… if you’re still using the same password on every site, stop it.
If you’re still using your mother’s maiden name as your password, stop it.
If you’re still using a short, easy-to-remember combination like your first name and the last four digits of your Social Security number, stop it.
Passwords need to be unique, strong (that means a combination of upper and lower case letters, numbers and characters like the exclamation point or asterisk) and frequently changed.
Now go change your MyHeritage password.
- “MyHeritage Statement About a Cybersecurity Incident,” MyHeritage Blog, posted 4 June 2018 (https://blog.myheritage.com/ : accessed 6 June 2018). ↩
- Ibid., “Cybersecurity Incident: June 5-6 Update,” posted 6 June 2018. ↩
- Andy Greenberg, “Hacker Lexicon: What Is Password Hashing?,” Wired, posted 8 June 2016 (https://www.wired.com/ : accessed 6 June 2018). ↩
- “Cybersecurity Incident: June 5-6 Update,” MyHeritage Blog, posted 6 June 2018. ↩