What happened
According to public breach records, the MyHeritage data breach on October 26, 2017 is reported to have exposed the personal information of 91,991,358 accounts.
In October 2017, the genealogy website MyHeritage suffered a data breach. The incident was reported 7 months later after a security researcher discovered the data and contacted MyHeritage. In total, more than 92M customer records were exposed and included email addresses and salted SHA-1 password hashes. In 2019, the data appeared listed for sale on a dark web marketplace (along with several other large breaches) and subsequently began circulating more broadly.
Passwords in this breach were reportedly stored as SHA-1 hashes.
On June 4, 2018, MyHeritage's chief information security officer was contacted by a security researcher who had found a file named "myheritage" on a private server outside the company, containing the email addresses and hashed passwords of 92,283,889 users who had signed up on or before October 26, 2017 (the date the data was taken). The exposure was limited to email addresses and one-way password hashes; MyHeritage said payment card details and DNA/genetic test results were stored on separate systems and were not part of the file. It was among the largest credential exposures disclosed that year, and MyHeritage responded by expiring all user passwords and accelerating its rollout of two-factor authentication. true
What data was exposed
The following types of personal data were compromised:
- Email addresses
- Passwords
Breach details
| Detail | Value |
|---|---|
| Breach name | MyHeritage |
| Date | October 26, 2017 |
| Accounts affected | 91,991,358 |
| Domain | myheritage.com |
This summary is compiled from public breach-notification data and known leak databases. Figures reflect what those sources report and may be revised as more is learned. If something here looks wrong or you think your information is involved, contact our support team.
We report breaches as a factual record to help people check their exposure. Inclusion here is not an allegation of wrongdoing or negligence by MyHeritage; it reflects a publicly reported security incident.
What to do now
Based on the data exposed in this breach, here are the steps you should take:
- Change your MyHeritage password immediately, and change it anywhere else you reused that same password.
- Enable two-factor authentication on your MyHeritage account and other important accounts.
- Use a unique password per site so one leaked credential cannot unlock other accounts.
- Watch for phishing emails referencing MyHeritage, genealogy, or DNA, since exposed email addresses are common lure targets.
Check your exposure
Data breaches are one of the ways your personal information ends up on data broker sites. Run a free scan to see which sites are exposing your personal data — and take action to remove it.
Sources
- MyHeritage Statement About a Cybersecurity Incident - MyHeritage Blog
- MyHeritage Genealogy Site Announces Mega Breach Affecting 92 Million Accounts - BleepingComputer
- Researcher Finds Credentials for 92 Million Users of DNA Testing Firm MyHeritage - Krebs on Security
Find out what data brokers know about you
Run a free scan to see which sites are exposing your personal information — name, phone, address, email, and more.
Start your free scan →