MyHeritage, a DNA Testing and Ancestry Service, Announces Data Breach of Over 92 Million Account Details (vice.com)

← Back to Stories (view on slashdot.org)

MyHeritage, a DNA Testing and Ancestry Service, Announces Data Breach of Over 92 Million Account Details (vice.com)

Posted by msmash on Tuesday June 5, 2018 @04:06AM from the security-woes dept.

Joseph Cox, reporting for Motherboard: Unfortunately for customers of MyHeritage, a genealogy and DNA testing service, a researcher uncovered 92 million account details related to the company sitting on a server, according to an announcement from MyHeritage. The data relates to users who signed up to MyHeritage up to and including October 26, 2017 -- the date of the breach -- the announcement adds. Users of the Israeli-based company can create family trees and search through historical records to try and uncover their ancestry. In January 2017, Israeli media reported the company has some 35 million family trees on its website. In all, the breach impacted 92,283,889 users, according to MyHeritage's disclosure.

47 of 117 comments (clear)

Min score:

Reason:

Sort:

Gives a whole new meaning: Who's your daddy? by UnknownSoldier · 2018-06-05 04:15 · Score: 2

With the security breach it kind of gives a whole new meaning to:
Who's your daddy? :-/
On a related note:
When are we going to start fining companies that suffer a security breach?
Until there is a financial penalty companies have very little motivation to take security seriously.
1. Re:Gives a whole new meaning: Who's your daddy? by TechyImmigrant · 2018-06-05 04:21 · Score: 5, Interesting
  
  >Who's your daddy?
  In my family's case, it was "Who's your uncle?" and "Who's your cousin?".
  My wife's bible bashing, holier than thou grandfather was dipping his wick in many places it seems. The denial on the part of the bible bashing, holier than thou, next generation was remarkable.
  23andme uncovered these things.
  
  --
  I should use this sig to advertise my book ISBN-13 : 978-1501515132.
2. Re:Gives a whole new meaning: Who's your daddy? by Oswald+McWeany · 2018-06-05 04:21 · Score: 1
  
  With the security breach it kind of gives a whole new meaning to:
  Who's your daddy? :-/
  On a related note:
  When are we going to start fining companies that suffer a security breach?
  Until there is a financial penalty companies have very little motivation to take security seriously.
  You punish a company that doesn't take security seriously by taking your business elsewhere.
  We don't legally punish the person whose house get's broken into by a burglar for not securing their house properly. We don't legally punish Target for being the victim of shoplifting. You don't arrest rape victims for being raped (even if they wore revealing clothing and didn't learn to defend themselves with kung-fu).
  Charging the victim isn't an option.
  As a consumer, sure, you have the right to take your business elsewhere.
  
  --
  "That's the way to do it" - Punch
3. Re: Gives a whole new meaning: Who's your daddy? by Anonymous Coward · 2018-06-05 04:33 · Score: 1
  
  Don't tell me what to do! I'm My Own Grandpa!
4. Re:Gives a whole new meaning: Who's your daddy? by Kozar_The_Malignant · 2018-06-05 04:34 · Score: 4, Insightful
  
  We don't legally punish the person whose house get's broken into by a burglar for not securing their house properly.
  > That's because I'm not generally storing my stuff in my neighbor's house. However if I loan my lawnmower to my neighbor, and it gets stolen because he left his garage door open overnight, he is generally responsible civilly for my loss.
  
  --
  Some mornings it's hardly worth chewing through the restraints to get out of bed.
5. Re:Gives a whole new meaning: Who's your daddy? by CaptainDork · 2018-06-05 04:38 · Score: 1
  
  Fucked up analogy.
  You're suggesting that DNA shit is something you can file for, and have the company return it back to you, in its entirety so you can give it to another business.
  Also, strangers don't have their goddam personal property or data in your unlocked house.
  Litigation is the ONLY solution to this bullshit.
  
  --
  It little behooves the best of us to comment on the rest of us.
6. Re:Gives a whole new meaning: Who's your daddy? by Errol+backfiring · 2018-06-05 04:41 · Score: 1
  
  I guess we should stop saying "and Bob's your uncle", when we can look it up and see that he isn't.
  
  --
  Nae king! Nae laird! Nae yurrupiean pressedent! We willna be fooled again!
7. Re:Gives a whole new meaning: Who's your daddy? by Oswald+McWeany · 2018-06-05 04:56 · Score: 1
  
  Fucked up analogy.
  You're suggesting that DNA shit is something you can file for, and have the company return it back to you, in its entirety so you can give it to another business.
  Also, strangers don't have their goddam personal property or data in your unlocked house.
  Litigation is the ONLY solution to this bullshit.
  It's not your data. It's their data because you gave it to them. Now, I'm all for changing privacy laws to be more like European privacy laws- but you can't say you had YOUR data stolen when as it sits in the law it isn't your data- it's the web company's data.
  
  --
  "That's the way to do it" - Punch
8. Re:Gives a whole new meaning: Who's your daddy? by CaptainDork · 2018-06-05 05:33 · Score: 2
  
  ... but you can't say you had YOUR data stolen ...
  You should sign up on a site called, "Slashdot ... News For Nerds; Stuff That Matters"
  They have stories that can help you understand.
  
  Data Breach Victims Can Sue Yahoo in the United States, Federal Judge Rules
  
  --
  It little behooves the best of us to comment on the rest of us.
9. Re:Gives a whole new meaning: Who's your daddy? by TechyImmigrant · 2018-06-05 05:58 · Score: 1
  
  Yawn.
  The truth makes you sleepy?
  That's a medical problem that needs a name.
  
  --
  I should use this sig to advertise my book ISBN-13 : 978-1501515132.
10. Re:Gives a whole new meaning: Who's your daddy? by TechyImmigrant · 2018-06-05 06:01 · Score: 1
  
  >You're suggesting that DNA shit is something you can file for, and have the company return it back to you, in its entirety so you can give it to another business.
  That's exactly how it works. You can download it and give it to another business, like Promethease or Genetic Genie or Nutrahacker.
  
  --
  I should use this sig to advertise my book ISBN-13 : 978-1501515132.
11. Re:Gives a whole new meaning: Who's your daddy? by apoc.famine · 2018-06-05 06:11 · Score: 1
  
  I'm going to go to space and change mine so it's no longer useful to them. Then I'll be able to count on one hand the seven reasons I'm never doing business with them again.
  
  --
  Velociraptor = Distiraptor / Timeraptor
12. Re:Gives a whole new meaning: Who's your daddy? by slew · 2018-06-05 06:42 · Score: 1
  
  I'm going to go to space and change mine so it's no longer useful to them. Then I'll be able to count on one hand the seven reasons I'm never doing business with them again.
  You don't have to go that far, Chernobyl and Fukushima are both accessible w/o a rocket...
13. Re:Gives a whole new meaning: Who's your daddy? by Oswald+McWeany · 2018-06-05 07:28 · Score: 1
  
  You should sign up on a site called, "Slashdot ... News For Nerds; Stuff That Matters"
  They have stories that can help you understand.
  Nah... I stay away from there, that place is full of idiots. :)
  
  Data Breach Victims Can Sue Yahoo in the United States, Federal Judge Rules
  Sure... you're welcome to try suing in a civil court if you like. 9 times out of 10 you'll probably fail. Yahoo might actually be one of those rare exceptions because it wasn't just negligence it was gross negligence. They weren't just insecure- they KNEW they were insecure and actively did nothing.
  If you think you own the data you give to companies like Facebook, and MyHeritage, etc, you're bound to be disappointed in the long run. You might have more luck in Europe but in the US- they own the data. They certainly don't think of it as YOUR data and neither would the courts.
  The exception might be if MyHeritage made some guarantee about keeping data safe or keeping your data private. Again though, that would be a civil court process, there wouldn't be any fines against them because they are legally speaking the victims here, not you.
  
  --
  "That's the way to do it" - Punch
14. Re:Gives a whole new meaning: Who's your daddy? by Dragonslicer · 2018-06-05 07:34 · Score: 1
  
  We don't legally punish the person whose house get's broken into by a burglar for not securing their house properly.
  > That's because I'm not generally storing my stuff in my neighbor's house. However if I loan my lawnmower to my neighbor, and it gets stolen because he left his garage door open overnight, he is generally responsible civilly for my loss.
  Sorry to be a wet blanket here, but since when do you own anything on someone else's computer?
  That doesn't matter. The reason the neighbor would be liable for your loss isn't just because something that you own was stolen. The reason is that their actions, or lack thereof, caused you financial harm.
15. Re:Gives a whole new meaning: Who's your daddy? by SeaFox · 2018-06-05 08:11 · Score: 1
  
  When are we going to start fining companies that suffer a security breach?
  
  Just as soon as money gets out of politics.
16. Re:Gives a whole new meaning: Who's your daddy? by Kozar_The_Malignant · 2018-06-05 10:12 · Score: 2
  
  Sorry to be a wet blanket here, but since when do you own anything on someone else's computer?
  I own dollars and Euros that have no physical existence except in my banks' computers. Ditto cryptocurrencies. Many people own copyrighted commercial and private personal information stored on someone leases computers in the cloud. Location does not equate to ownership.
  
  --
  Some mornings it's hardly worth chewing through the restraints to get out of bed.
17. Re:Gives a whole new meaning: Who's your daddy? by TechyImmigrant · 2018-06-05 11:02 · Score: 1
  
  Some family members were forking everything in sight.
  
  --
  I should use this sig to advertise my book ISBN-13 : 978-1501515132.
GDPR... by shatteredsilicon · 2018-06-05 04:17 · Score: 1

... is going to sting on this one...
Re:Wow so now your great great grand daddy's by jedidiah · 2018-06-05 04:20 · Score: 1

The ancestry data is pretty much public. So that's no real loss. These services all share that kind of stuff quite widely. It's kind of why they are even remotely useful at all.
The DNA data is a bit more interesting/private though.

--
A Pirate and a Puritan look the same on a balance sheet.
your mother's maiden name by goombah99 · 2018-06-05 04:22 · Score: 2

or your father's middle name are now useless security questions. Along with your SS number, address, home telephone, ....

--
Some drink at the fountain of knowledge. Others just gargle.
1. Re:your mother's maiden name by goombah99 · 2018-06-05 04:53 · Score: 2
  
  take the security question. Hash it with your own secret salt. give that as the answer.
  
  --
  Some drink at the fountain of knowledge. Others just gargle.
2. Re: your mother's maiden name by nitehawk214 · 2018-06-05 05:30 · Score: 1
  
  It became illegal to use SSN as an identifier for private companies a while back. The same should be for the security questions.
  Of course my mother's maiden name is a 32 byte hex string, so good luck with that. I had a bank employee thank me for having something that could not be easily hacked.
  
  --
  I'm a good cook. I'm a fantastic eater. - Steven Brust
3. Re:your mother's maiden name by sexconker · 2018-06-05 05:41 · Score: 2
  
  The problem is many times answers are restricted to drop down responses or are tied to actual data about you (like past addresses, phone numbers, etc.).
  Another issue is that these are the things the customer service reps can see if you ever get locked out and need to call them.
  Good luck reading out a random password over the phone. No, BACKslash. It's going from top left to bottom right. No no, that's the grave / backtick.
4. Re:your mother's maiden name by bobbutts · 2018-06-05 08:43 · Score: 1
  
  I've been giving bs answers to these security questions for a long time. Just have to keep track of them. Much rather that than have my account "protected" by easily obtainable information.
5. Re:your mother's maiden name by jrumney · 2018-06-05 18:29 · Score: 1
  
  These have always been useless security questions, as birth records are public documents.
6. Re:your mother's maiden name by jrumney · 2018-06-05 18:31 · Score: 1
  
  Just because those are the questions, it doesn't mean you need to give truthful answers. As far as my bank knows, my mother's maiden name is hunter2.
7. Re:your mother's maiden name by sexconker · 2018-06-06 11:17 · Score: 1
  
  Not all of the forms I've dealt with let you put in anything you want. Some are drop down or radio button controls tied to a set of options. This is frequently the case when they use a data set backed by "true" info about you (that they typically pull from the 3 major credit unions).
  Your mother's maiden name is *******?
Re:Gawd by jedidiah · 2018-06-05 04:22 · Score: 1

...or you just don't care anymore because that particular cat is out of the bag already.
Although this really only becomes a problem if DNA based discrimination is allowed. If that's the case, then you will be coerced into creating this data. Would be abusers won't need to depend on a data breach.

--
A Pirate and a Puritan look the same on a balance sheet.
Re:Lock Him Up! by Anonymous Coward · 2018-06-05 04:24 · Score: 1, Insightful

Donald Trump promised to commit treason?
This ought to be particularly alarming by Anonymous Coward · 2018-06-05 04:26 · Score: 4, Insightful

DNA testing results are particularly sensitive information. While these sites use the information to identify ancestry, they can also test for genetic risk factors for developing various illnesses. That information may be very useful to individuals who can make lifestyle and medical decisions to mitigate those risks. Unfortunately, that information can also be used by insurance companies to deny coverage and by potential employers to not hire people who are at higher risks to develop some medical conditions.
There needs to be a certification process for handing sensitive data, meaning that businesses must be certified before they're legally allowed to handle information like DNA test results. That certification process should require third party audits to ensure that various standards are met. This would be followed up with random unannounced periodic checks to ensure that the business is still in compliance with those standards. Any business that is handling such data without certification should be subject to penalties at least as severe as if all the sensitive data was compromised in a breach. There needs to be standards for handling sensitive data and a certification process to ensure that the data is handled properly.
1. Re: This ought to be particularly alarming by Cinnamon+Beige · 2018-06-05 11:55 · Score: 2
  
  No, banning hacking is already covered by laws such as the CFAA, and you know that. Besides, this breach wasn't the result of a hack. The data was left unsecured on a server. Your comment isn't helpful. As for bans on hacking a much better idea to improve stricter standards on the handling of information like DNA test results. A fairly straightforward solution in the United States would be to make businesses like MyHeritage subject to the data protections included in HIPAA. If you're handing DNA information and doing business in the United States, you would be subject to that law.
  I'd actually be very, very surprised if HIPAA doesn't already cover DNA information, especially given that there are laws specifically in place covering genetic privacy to pretty much because it was decided that genetic discrimination is a problem that is most easily solved before it's particularly feasible.
Data by Translation+Error · 2018-06-05 04:39 · Score: 1

The data that was accessed seems to be a list of email addresses with hashed and salted passwords.

--
When someone says, "Any fool can see ..." they're usually exactly right.
Every gods-be-damned WEEK. by Rick+Schumann · 2018-06-05 04:41 · Score: 1

Every gods-be-damned week, there's more of this shit happening.

You all have exactly TEN SECONDS to justify to me why, in 2018, with this shit happening every gods-be-damned week, you'd ever sign up for any internet service that requires your real name and other personal information. Lunacy, it's all lunacy.
1. Re:Every gods-be-damned WEEK. by slew · 2018-06-05 06:53 · Score: 1
  
  _I_ didn't. My family - my mother in law specifically - may very well have. She still can't get over our marriage and yes she is the cranky old bat type.
  I highly doubt these companies require consent from everyone involved. Those databases are used by Government agencies after all.
  And sometimes those databases are used to catch a serial killer...
  Of course the serial killer didn't give any consent, but he was apparently identified anyhow by tracing through a third cousin who uploaded their dna profile...
the breach impacted 92,283,889 users by grep+-v+'.*'+* · 2018-06-05 04:53 · Score: 1

Jesus Christ. Another? What a surprise. I feel like putting all of my details out in public on my own website.

Why? Don't go to those other guys to get my info as it might be incorrect. At least retrieve it from the authoritative source where it's supposed to be right.

I could also host a comment section in case anyone discovers something actually IS incorrect. Hell, you're already using my data, you might as well help me correct any inadvertent errors while you're at it.

By the way, the security PIN for my debit card really is pi. You'd actually be surprised though at how many digits they will accept.

--
If the universe is someone's simulation -- does that mean the stars are just stuck pixels?
Re:Security, what security? Is that a thing we do? by sexconker · 2018-06-05 05:43 · Score: 1

And to do so you'd need to physically be there, and risk physically getting shot in the fucking gut.
And do you know what their website says right now? by argStyopa · 2018-06-05 05:58 · Score: 1

Spring Special
50% discount on the MyHeritage Complete plan, for the next few days only!
Learn more
So you have a breach SIX MONTHS AGO and not only do you not tell anyone, but the day you supposedly announce it, that doesn't seem to make it to your page? Really?

--
-Styopa
Er, no by bagofbeans · 2018-06-05 06:04 · Score: 3, Informative

Questions may be restricted, but the responses can be anything you choose. Your first car? Fattybut. Name of second school? 902010 etc
1. Re:Er, no by sexconker · 2018-06-06 11:16 · Score: 1
  
  Questions may be restricted, but the responses can be anything you choose.
  Not always, unfortunately. And certainly not when they're using any info backed by the big 3 monsters (Equifax, Transunion, and Experian) that you may be forced to prove if something fucks up, such as living at a certain address, having a phone number, having a specific loan / financial account, etc.
  I have in my KeePass file notes that for certain security questions I have to answer incorrectly because the data they have on file is wrong. For example, they think my main phone number is a land line when it's a cell phone. If I get that question as a challenge and I answer it truthfully, I get locked out and have to call some support jockey. The last time it happened I had to resort to paper mail and inky signatures and excessive wait times.
So, true story by FilmedInNoir · 2018-06-05 06:08 · Score: 1

I paid for the test only to learn I'm a mayo sandwich on white bread with the crusts cut off... I was hoping for something cool (I might be Eastern European though)
Anyway, checked my profile, and I used my hotmail account and filled out the forms using a single letter for each field. I blame genetics for my paranoia.

--
Sig. Sig. Sputnik
Nay lads, bad biology by bagofbeans · 2018-06-05 07:03 · Score: 1

It's an eating gut. Use your willy for the other activity.
The beauty of it. by gatfirls · 2018-06-05 07:45 · Score: 1

*You* may not give up this information, but someone who has all of your personal information in their contacts on their phone may.
It's a clusterfuck.
1. Re:The beauty of it. by Rick+Schumann · 2018-06-05 08:32 · Score: 1
  
  No one has 'all my personal' anything on their phone, and I don't use ANY 'social media', so there's nothing anyone I know has that can leak to anyone else.
2. Re:The beauty of it. by gatfirls · 2018-06-05 08:50 · Score: 1
  
  Well congrats you are the unicorn who knows for a 100% fact that no one in the world has any personal information about you stored on their phone or elsewhere. I figured in this day you would have to live in the forest and never make contact with anyone to achieve that goal but here you are. The rest of us have family and friends and even acquaintances who may do this unbeknownst to us. Also data mining companies pretty much have all of your information anyway from decades of public records and 'PII for profit' companies.
  By the way; Slashdot is a form of social media.
Re:Pure gold for insurance companies by xystren · 2018-06-05 11:20 · Score: 1

That was my first thought. I wonder how anonymized the data was? I'm sure there is a unique identifiers (or serial number) for the data, which is linked to the serialized spit bottle, which is linked to a purchase order and payment information. So much for anonymization protecting us.
Now with it in the wild, you don't even need the unique identifier as the your DNA will provide that. But then again, its unlikely your insurance companies don't already have that information. Certain laws state they can't use that against someone, but would be virtually impossible to prove that they did (unless you caught them right in the act.).
sheesh! by jtgd · 2018-06-08 21:15 · Score: 1

It's getting to where I don't trust anybody with anything.

--
J