In an odd coincidence, earlier today we asked rhetorically "what could go wrong" if millions of Americans trust a DNA collecting company - in this case ancestry.com - with their genetic code. At almost the exact same time, Bloomberg reported that the Israeli-based consumer genealogy website, MyHeritage had been hacked, and that the email addresses and password information linked to more than 92 million user accounts have been "compromised."
According to MyHeritage, its security officer had received a message from a researcher who unearthed a file named “myheritage” containing email addresses and hashed passwords of 92,283,889 of its users on a private server outside the company.
“There has been no evidence that the data in the file was ever used by the perpetrators,” the company said in a statement late Monday, supposedly in an attempt to make its nearly 100 million users and customers feel comfortable.
It was not explicitly clear if any client "genetic material" had also been compromised as part of the security breach.
Like Ancestry.com and 23andMe, MyHeritage lets users submit their DNA, build family trees, search historical records and hunt for potential relatives. Founded in Israel in 2003, the site launched a service called MyHeritage DNA in 2016 that lets users send in a saliva sample for genetic analysis. The website currently has 96 million users of whom 1.4 million users have taken the DNA test.
In a blog post, MyHeritage said the breach took place on Oct. 26, 2017, and impacts users who signed up for an account through that date. Armed with that information, a hacker could access personal information such as the identity of family members. While the company said it is unlikely that they could easily access a user’s raw genetic information, that's precisely what one would expect them to say as the alternative is going out of business as its entire user base flees.
Still, while it wasn't certain whether or not the genetic data had been compromised, the company emphasized that DNA data is stored “on segregated systems and are separate from those that store the email addresses, and they include added layers of security.”
As Bloomberg adds, MyHeritage has set up a 24/7 support team to assist customers affected by the breach. It plans to hire an independent cybersecurity firm to investigate the incident and potentially beef up security. In the meantime, users were prudently advised to change their passwords.
Meanwhile, as consumer DNA testing has grown into a $99 million industry, questions about the security of users’ intimate data have increased as well. After investigators tracked down a suspect in the Golden State Killer case using a genealogy website that, like MyHeritage, allows users to upload raw genetic information, privacy concerns about shared DNA data have also surged. One thing is certain: more stories like the hack of Ancestry.com and MyHeritage are the surest way to ensure that the industry which allows naive customers to hand over their DNA to a 3rd party and pay for the privilege, shrinks from $99 million to 0 in a very short time frame.