Israel-based DNA testing service MyHeritage announced that more than 92 million user accounts have been compromised in an apparent hacking incident.
The firm said it was informed of the situation earlier this week when its employees found a file named “myheritage” containing email addresses and hashed passwords on a private server.
“Our Information Security Team received the file from the security researcher, reviewed it, and confirmed that its contents originated from MyHeritage and included all the email addresses of users who signed up to MyHeritage up to October 26, 2017, and their hashed passwords,” the company said in a statement said.
Following the discovery, the consumer genealogy website said it immediately began an investigation to determine how its contents were obtained and confirmed that no other data related to its customer accounts was found on the outside server.
“There has been no evidence that the data in the file was ever used by the perpetrators,” the company added.
MyHeritage, which was founded in 2003, launched its DNA program in 2016, that allows its users to send in a saliva sample for genetic analysis in addition to building their family trees and hunt for potential relatives. The website currently has 96 million users from around the world with 1.4 million of them who have taken the DNA test.
The consumer DNA testing industry has bubbled into a $99 million business in recent years with competitors like Ancestry.com and 23andMe, but has been scrutinized by lawmakers.
Last November, Sen. Chuck Schumer, D-N.Y., called for more regulations around the kits, citing that unknowing customers may be putting their genetic information at risk of being sold to third parties.
“Here's what many consumers don't realize, that their sensitive information can end up in the hands of unknown third-party companies," Schumer said last November. "There are no prohibitions, and many companies say that they can still sell your information to other companies."
However, MyHeritage has reemphasized in its statement that it hosts its DNA data on “a segregated system,” which includes added layers of security, and no data has been breached.