Family Historian User Group

Hi all,

I have just visited this site (which I do every few months) https://haveibeenpwned.com/ and found out my email address has been compromised. The thing that annoyed me was that it was MyHeritage that were the culprits and they have never notified me.

MyHeritage: In October 2017, the genealogy website MyHeritage suffered a data breach. The incident was reported 7 months later after a security researcher discovered the data and contacted MyHeritage. In total, more than 92M customer records were exposed and included email addresses and salted SHA-1 password hashes. In 2019, the data appeared listed for sale on a dark web marketplace (along with several other large breaches) and subsequently began circulating more broadly. The data was provided to HIBP by a source who requested it be attributed to "BenjaminBlue@exploit.im".

Compromised data: Email addresses, Passwords

Has anyone else been contacted about this or not if my experience is anything to go by?

I got notification via LastPass (my password manager) but nothing from MyHeritage - I logged on and immediately changed my password.

Dashlane (my password manager) notified me, so I likewise changed my password.

No I have not been notified, thanks for alerting us.

I was not notified but have seen my Email in Have I Been Pwned against MyHeritage.
The MyHeritage blog is at MyHeritage Statement About a Cybersecurity Incident.
Since only hash codes for passwords were stolen I was not too concerned.
I have different strong passwords for every account, and the MyHeritage account is a free one, so little risk.

Agreed Mike,

I don't use the same passwords anywhere, either. I was more annoyed that MyHeritage hadn't notified me, a simple email with a link to their notification would have been all that is required. There are many out there who do use the same password and not too strong either and as Salted SHA-1 password hashes have known vulnerabilities, I thought it may be something to mention here.

Hi
Sorry to be dim but what are hash codes please? I haven't had any communication from My Heritage
Ann

"Hash Codes"

In this context they probably mean passwords that have been "encoded".

Ideally your password is not stored as plain text but in a one-way encoded manner, so that if you steal the encoded version you cannot work out the original. Certain mathematical formulae work one way only so 10 mod 3 (the remainder of 10 divided by 3) is 1 but so is 7 mod 3, so knowing the result (1) does not get you back to 10 (it could be 7 or 4 or 100 or ...). Other formulae involve taking the password and passing it through a formula with a secret "key" number (if you start multiplying very large prime numbers together, you create a lot of work for someone to work out what the two factors of the resulting extremely large number are).

This is done multiple times with multiple functions in the fractions of a second after you create a password. Only you know the password to put into this function to produced the "hashed" version and it is only when the hashed versions match that the system "unlocks".

There are other means to throw password crackers off the scent (you may hear of "salting" - bit like throwing "pseudo random" extra characters into the encoding stream to further obfuscate the original password), but that is the general idea.

As long as the various algorithms etc. remain either confidential or too obscure, just stealing a "hashed password" does not help the hacker get back to the original password that has to be entered at the password prompt.

After notification of any breach however it is wise to change your password as you never know for sure what has been breached or how securely the hash and salting functions were.

(More ...)

Thank you David for taking the time to explain.
Ann