Steps We’ve TakenMyHeritage also outlined what the users of the program should do. Here is that outline.
- Immediately upon learning about the incident, we set up an Information Security Incident Response Team to investigate the incident. We have engaged a leading, independent cybersecurity firm to conduct comprehensive forensic reviews to determine the scope of the intrusion; and to conduct an assessment and provide recommendations on steps that can be taken to help prevent such an incident from occurring in the future.
- We have notified relevant authorities as per GDPR.
- We set up a 24/7 security customer support team to assist customers who have concerns or questions about the incident.
- We started a process to expire all passwords on MyHeritage, requiring our users to set a new password. You can read more about this in the follow up announcement we issued on June 5, 2018.
- We added support for Two-Factor Authentication.
1. Change your password on MyHeritage.
Changing your password is a prudent and recommended practice. After doing this, you’ll be safer, because even if someone else has your password they will not be able to access your MyHeritage account from now on.
For maximum security, change passwords often and avoid using the same password on different services and websites, so if your password is ever compromised on one of them it will not be used to access the others.
2. Add Two-Factor Authentication (optional).
Two-Factor Authentication is an extra layer of security for your account, designed to ensure that you’re the only person who can access your account, even if someone knows your password. Two-Factor Authentication allows you to authenticate yourself using a mobile phone in addition to a password, which further hardens your MyHeritage account against illegitimate access, because others don’t have access to your mobile phone. For more details, see our blog post.
For now, there are no other actions that you need to take as a result of this incident.All of these suggestions really apply to your general use of the internet. They are good suggestions for all websites where there are passwords. Some people suggest using a password service in the form of an online company that stores or encrypts your passwords. The problem with this concept is what if that service is compromised? But, you can control the situation by using good online practices and changing your passwords from time to time.
The real challenge is for those of us who have hundreds of passwords. Managing those can be a real challenge.