Genealogy website MyHeritage has suffered a data breach which exposed nearly 100 million email addresses, the company has said.

Users who signed up for the service, which is based in Israel and runs DNA tests, puts together family trees and helps people find family members, prior to October 26, 2017, have had their email addresses exposed through the breach.

An unnamed security researcher got in touch with MyHeritage’s Chief Information Security Officer, Omer Deutsch (who has only been in the position since April 2018), with information about a file containing the email addresses and hashed passwords of 92,283,889 users. According to the researcher, this file was found on a private server not belonging to MyHeritage.

The team at MyHeritage then confirmed its authenticity and started an investigation. Obviously, as the passwords were hashed, the file does not give away passwords. According to the firm’s investigation and the security researcher, no other data was on the file and there is ‘no evidence’ that the file was ever actually used.

MyHeritage data types

In a post on company’s website, Deutsch wrote: ‘We believe the intrusion is limited to the user email addresses. We have no reason to believe that any other MyHeritage systems were compromised. As an example, credit card information is not stored on MyHeritage to begin with, but only on trusted third-party billing providers (e.g. BlueSnap, PayPal) utilized by MyHeritage.

‘Other types of sensitive data such as family trees and DNA data are stored by MyHeritage on segregated systems, separate from those that store the email addresses, and they include added layers of security. We have no reason to believe those systems have been compromised.’

The company says it has responded by setting up an incident response team, employing an independent cybersecurity firm for forensic reviews, notified the ‘relevant authorities’ in order to comply with new GDPR rules, and set up a dedicated customer service line. It has also expedited its planned 2FA feature.

UPDATE: The ICO has confirmed that it was informed of the breach by MyHeritage. A spokesperson said: “We are aware of an incident involving MyHeritage and will make further enquiries to assess the impact on customers.”