The First In The Queue for a large GDPR Fine?
I know many people who are interested in tracing their heritage, and today I was forwarded an email which reported that there had been a major hack on the Israel-based company MyHeritage:
It is thought that around 92 million accounts were found on a server, and relates to users who registered up to 26 October 2017 (which was the date of the breach). Recently it was reported that there were over 35 million family trees stored on the site.
The company reported that a file named myheritage was found on an external site and which contained email addresses and hashed passwords. Along with this the company did not give any more details on the hashing method used, or if salting has been used, apart from a vague statement of:
the hash key differs for each customer
which - from a cryptography point-of-view - doesn't make much sense, but it is thought that this relates to salt being used. It is not thought that credit details were compromised, but the leak of passwords can cause users problems when hackers try discovered passwords on other sites.
For their actions, they have reported the incident as part of GDPR, and implemented two-factor authentication:
Lessons:
- Implement two-factor authentication now!
- Companies need to take password security seriously, and report on the methods they used.
- Companies need to report in a form that users and technical specialists can understand, so that a risk assessment can be made.
- Companies should use BCrypt or PBKDF2 by default for password hashing.
- Don't use the same password across different sites.