This post is also available in: עברית (Hebrew)
Conventional password security measures have become insufficient when massive data breaches frequently expose millions of users to hacking attacks. More than 92M customer records were recently exposed in the huge MyHeritage data breach. Even users with email addresses and salted SHA-1 password hashes were not safe.
While encryption is a two-way function of scrambling information in a way that only someone with a corresponding key can unscramble and read it, hashing is a one-way function, that involves the practice of using an algorithm to map data of any size to a fixed length. It is meant to verify that a file or piece of data hasn’t been altered — that it is authentic.
Salting is a unique value that can be added to the end of the password to create a different hash value. This adds a layer of security to the hashing process, specifically against brute force attacks, where a computer or botnet attempt every possible combination of letters and numbers until the password is found, as explained by thesslstore.com.
In October 2017, the genealogy website MyHeritage suffered a data breach. The incident was reported only seven months later after a security researcher discovered the data. In total, more than 92M customer records were exposed.
Why are you only hearing about this now? Sometimes there can be a lengthy lead time of months or even years before the data is disclosed publicly.
In 2019, the data appeared listed for sale on a dark web marketplace (along with several other large breaches) and subsequently began circulating more broadly. The data was provided to haveibeenpwned.com, which is offering to try these next 2 steps to better password security and protect all your accounts:
Step 1: Protect yourself with strong, unique passwords for each website with a password manager. That way, even if your data for one site is compromised, the others stay secure.
Step 2: Enable 2 factor authentication and store the codes in one of the applications for password management.
In addition, monitor websites such as Have I Been Pwned for data breaches.
You can also run a search for breaches of your email address again at any time to get a complete list of sites where your account has been compromised. Google has a similar tool that checks your email.