The genealogy service MyHeritage is investigating how email addresses and passwords for 92 million customers found their way to a private external server.
On June 4, officials of the company, which claims 96 million users worldwide, acknowledged that a security researcher found the personal information.
Omer Deutsch, MyHeritage’s chief information security officer, said in a company blog post that the researcher gave them a file named “myheritage” and officials confirmed that it contained company data.
Deutsch said customers who registered an account with the company through Oct. 26, 2017, when the breach occurred, have been affected. He said the company has not detected abnormal activity associated with leaked accounts.
“We believe the intrusion is limited to the user email addresses,” Deutsch wrote. “We have no reason to believe that any other MyHeritage systems were compromised.”
Deutsch said the company doesn’t store payment information, as it is handled by third-party billing providers such as BlueSnap and PayPal.
Deutsch wrote that “other types of sensitive information such as family trees and DNA data are stored by MyHeritage on segregated systems, separate from those that store the email addresses, and they include added layers of security.”
MyHeritage has set up an information security response team to handle the breach.
“We are also taking immediate steps to engage a leading, independent cybersecurity firm to conduct comprehensive forensic reviews to determine the scope of the intrusion; and to conduct an assessment and provide recommendations on steps that can be taken to help prevent such an incident from occurring in the future,” Deutsch says.