* Has anyone else not been notified about this?

The place to chat and put the world to rights
Post Reply
User avatar
GeneSniper
Famous
Posts: 219
Joined: 06 Dec 2016 20:40
Family Historian: V6.2
Location: East Kilbride, Lanarkshire, UK

Has anyone else not been notified about this?

Post by GeneSniper » 19 Apr 2020 13:35

Hi all,

I have just visited this site (which I do every few months) https://haveibeenpwned.com/ and found out my email address has been compromised. The thing that annoyed me was that it was MyHeritage that were the culprits and they have never notified me.
MyHeritage: In October 2017, the genealogy website MyHeritage suffered a data breach. The incident was reported 7 months later after a security researcher discovered the data and contacted MyHeritage. In total, more than 92M customer records were exposed and included email addresses and salted SHA-1 password hashes. In 2019, the data appeared listed for sale on a dark web marketplace (along with several other large breaches) and subsequently began circulating more broadly. The data was provided to HIBP by a source who requested it be attributed to "BenjaminBlue@exploit.im".

Compromised data: Email addresses, Passwords
Has anyone else been contacted about this or not if my experience is anything to go by?
William

* Illegitimi non carborundum *

avatar
jbtapscott
Superstar
Posts: 274
Joined: 19 Nov 2014 17:52
Family Historian: V6.2
Location: Manchester & Greece
Contact:

Re: Has anyone else not been notified about this?

Post by jbtapscott » 19 Apr 2020 13:45

I got notification via LastPass (my password manager) but nothing from MyHeritage - I logged on and immediately changed my password.
Brent Tapscott ~ researching the Tapscott and Wallace family history
Tapscott & Wallace family tree

User avatar
ColeValleyGirl
Megastar
Posts: 1705
Joined: 28 Dec 2005 22:02
Family Historian: V6.2
Location: Cirencester, Gloucestershire
Contact:

Re: Has anyone else not been notified about this?

Post by ColeValleyGirl » 19 Apr 2020 14:03

Dashlane (my password manager) notified me, so I likewise changed my password.

User avatar
David2416
Famous
Posts: 167
Joined: 12 Nov 2017 16:37
Family Historian: V6.2
Location: Suffolk UK

Re: Has anyone else not been notified about this?

Post by David2416 » 19 Apr 2020 14:17

No I have not been notified, thanks for alerting us.

User avatar
tatewise
Megastar
Posts: 18642
Joined: 25 May 2010 11:00
Family Historian: V6.2
Location: Torbay, Devon, UK
Contact:

Re: Has anyone else not been notified about this?

Post by tatewise » 19 Apr 2020 14:46

I was not notified but have seen my Email in Have I Been Pwned against MyHeritage.
The MyHeritage blog is at MyHeritage Statement About a Cybersecurity Incident.
Since only hash codes for passwords were stolen I was not too concerned.
I have different strong passwords for every account, and the MyHeritage account is a free one, so little risk.
Mike Tate ~ researching the Tate and Scott family history ~ tatewise ancestry

User avatar
GeneSniper
Famous
Posts: 219
Joined: 06 Dec 2016 20:40
Family Historian: V6.2
Location: East Kilbride, Lanarkshire, UK

Re: Has anyone else not been notified about this?

Post by GeneSniper » 19 Apr 2020 19:10

Agreed Mike,

I don't use the same passwords anywhere, either. I was more annoyed that MyHeritage hadn't notified me, a simple email with a link to their notification would have been all that is required. There are many out there who do use the same password and not too strong either and as Salted SHA-1 password hashes have known vulnerabilities, I thought it may be something to mention here.
William

* Illegitimi non carborundum *

User avatar
gwilym'smum
Superstar
Posts: 265
Joined: 01 Feb 2016 16:28
Family Historian: V6.2
Location: South Cheshire
Contact:

Re: Has anyone else not been notified about this?

Post by gwilym'smum » 20 Apr 2020 06:27

Hi
Sorry to be dim but what are hash codes please? I haven't had any communication from My Heritage
Ann
Researching Mayer, Parr/Parr, Simcock, Beech and all related families

User avatar
davidf
Superstar
Posts: 366
Joined: 17 Jan 2009 19:14
Family Historian: V6.2
Location: UK

Re: Has anyone else not been notified about this?

Post by davidf » 20 Apr 2020 08:05

"Hash Codes"

In this context they probably mean passwords that have been "encoded".

Ideally your password is not stored as plain text but in a one-way encoded manner, so that if you steal the encoded version you cannot work out the original. Certain mathematical formulae work one way only so 10 mod 3 (the remainder of 10 divided by 3) is 1 but so is 7 mod 3, so knowing the result (1) does not get you back to 10 (it could be 7 or 4 or 100 or ...). Other formulae involve taking the password and passing it through a formula with a secret "key" number (if you start multiplying very large prime numbers together, you create a lot of work for someone to work out what the two factors of the resulting extremely large number are).

This is done multiple times with multiple functions in the fractions of a second after you create a password. Only you know the password to put into this function to produced the "hashed" version and it is only when the hashed versions match that the system "unlocks".

There are other means to throw password crackers off the scent (you may hear of "salting" - bit like throwing "pseudo random" extra characters into the encoding stream to further obfuscate the original password), but that is the general idea.

As long as the various algorithms etc. remain either confidential or too obscure, just stealing a "hashed password" does not help the hacker get back to the original password that has to be entered at the password prompt.

After notification of any breach however it is wise to change your password as you never know for sure what has been breached or how securely the hash and salting functions were.

(More ...)
David
Running FH 6.2.7. Under Wine on Linux (Lubuntu 18.04 LTS)

User avatar
gwilym'smum
Superstar
Posts: 265
Joined: 01 Feb 2016 16:28
Family Historian: V6.2
Location: South Cheshire
Contact:

Re: Has anyone else not been notified about this?

Post by gwilym'smum » 20 Apr 2020 15:59

Thank you David for taking the time to explain.
Ann
Researching Mayer, Parr/Parr, Simcock, Beech and all related families

Post Reply