MyHeritage Breach – What the Experts Are Saying

Another day, another announcement regarding a huge data breach.  It seems the current challenge is to resist becoming desensitized to these all-too-common headlines.  If we give up and accept this as our new normal, we lose and the bad guys win.  Luckily, there are dedicated cybersecurity experts who remain vigilant and are always looking for solutions to solve this ever-growing threat.

As posted on the MyHeritage Blog, “Today, June 4, 2018 at approximately 1pm EST, MyHeritage’s Chief Information Security Officer received a message from a security researcher that he had found a file named myheritage containing email addresses and hashed passwords, on a private server outside of MyHeritage. Our Information Security Team received the file from the security researcher, reviewed it, and confirmed that its contents originated from MyHeritage and included all the email addresses of users who signed up to MyHeritage… and their hashed passwords.”  It continues, “We determined that the file was legitimate and included the email addresses and hashed passwords of 92,283,889 users who had signed up to MyHeritage up to and including Oct 26, 2017 which is the date of the breach.”

We checked with some cybersecurity experts today to get their take on this latest breach announcement.

Anthony James, CMO of CipherCloud, a leading provider of cloud security solutions, said, “The bad news is, for sure, that 92 million MyHeritage user accounts were compromised. The attackers obtained emails and hashed passwords. Don’t believe for a second that a hashed password is safe. When a user normally logs in, the password submitted is run through the hash function and then the result is compared with the hashed password stored for that user.

Hashed passwords are absolutely not safe if stolen – these hashed passwords are still highly vulnerable to a dictionary attack, where the attacker runs a hash function against the top 100,000 most popular passwords and computes the hash function against all of them. Then all they need do is compare these calculated values to the list stolen from MyHeritage. So, NO, a smart cyberattacker could be working diligently, even now, to map the hashed values to real passwords and break the accounts.

The moral of the story? Protecting customer data is more important than ever. New best practices such as the use of Zero Trust end-to-end encryption and 2-factor authentication are required for data and threat protection as well as the barrage of new compliance regulations.”

Expanding this idea, Devin Coldewey of Techcrunch wrote today about this breach, saying, “The emails are not fundamentally revealing data; billions have been exposed over the years through the likes of the Equifax and Yahoo breaches. They’re mainly damaging in connection with other data. For instance, the hackers could put 2 and 2 together by cross-referencing this list of 92 million with a list of emails whose corresponding passwords were known via some other breach. That’s why it’s good to use a password manager and have unique passwords for every site.

When asked for his insight as to why it may have taken 8 months for this breach to be discovered, Mr. James said, “Most breaches are discovered by parties external to the organization breached. Usually they find the data for sale, determine the source of the data, and then trace it back. You then get a call from a cybersecurity magazine or researcher letting you know your data is on the dark web. Very ugly. There is no more career-defining event for the security operations center team than finding out in a newsfeed that their organization has been hacked.

The reasons for this are numerous. Most cybersecurity defense is based upon a perimeter defense strategy. In this scenario, firewalls, endpoint security and a bit more are designed to keep attackers and criminals out of your networks. Unfortunately, the internet and TCP/IP were not designed for security! Once inside the network, just about everyone is considered trusted. Nothing could be worse. So once an attacker and their tools penetrate the network, they are generally free to move around quietly to perform reconnaissance, map
the network, identify resources and then steal them (or destroy them).”

Commenting on what organizations should do differently to detect data exfiltration sooner, Anthony says, “Change your strategy.  A new cyberdefense strategy, such as Zero Trust, says that no one either inside or outside of your network should be trusted. Zero Trust strategies for on-premise and the cloud would keep all data encrypted, all of the time, and only accessible through brokers that access the correct and secured data encryption key servers. In the event that any data is stolen or compromised, it is completely useless to the attacker as it is encrypted. This is a wonderful safe harbor as the theft of encrypted data really is not theft at all. The data is entirely useless to them. Further, the implementation of Zero Trust is incremental and compatible. You can add the technologies you need, in a fully compatible way, to beef up your perimeter-based defense so you can meet (and defeat) the
current escalating threats.

As a Plan B, there are vendors like SurfWatch, Terbium and Recorded Future that offer monitoring and alerting services for nefarious activity on the dark web. They can specifically monitor the web for your data assets and resources. They can monitor for just about anything – it can be confidential company records, perhaps planning a cyber attack or selling a vulnerability in software that your company uses. Of course, when this happens you have likely already been breached, but at least you know sooner, as opposed to reading about
it on the internet.”

by: Steven Bowcut, CPP, PSP, Brilliance Security Magazine Editor-in-Chief