We also asked for more information on the unidentified security researcher and where the stolen data was found. Rafi Mendelsohn, MyHeritage's director of PR and social media responded by email, saying only that: "We are investigating that right now and plan to have updates on the blog over the next few days".
The company reviewed the file and confirmed it contained the email addresses of every user who had signed up for MyHeritage before October 26, 2017, along with their hashed passwords, which hide a user's actual password.
"There has been no evidence that the data in the file was ever used by the perpetrators", Omer Deutsch, MyHeritage's chief information security officer, wrote.
MyHeritage said it believes the breach was limited to user email addresses, and that it has no reason to believe any other systems were compromised. "This means that anyone gaining access to the hashed passwords does not have the actual passwords", MyHeritage assured. "We have no reason to believe those systems have been compromised", the company said.
The email addresses are valuable though, and such a huge list would be a handy starting point for criminals to launch a phishing campaign.
MyHeritage has assured that no payment information or DNA data is at risk.
"MyHeritage does not store user passwords, but rather a one-way hash of each password, in which the hash key differs for each customer", the company said. The company does not store the credit card data of its users, instead using third-party vendors such as Paypal. After Deutsch was alerted, the company said its security team analyzed the file sent from the researcher and confirmed that its contents were legitimate and that the data originated from MyHeritage. Last year, 23andMe CEO Anne Wojcicki told Recode that the company keeps genetic information "totally separate" from information that could be used to identify a user, such as email addresses. It's also working with an independent cybersecurity firm, which will conduct reviews to determine the scope of the breach and offer suggestions on preventing something like this from happening again. Aside from informing users, MyHeritage stated it is taking steps to notify relevant authorities, as per GDPR.