MyHeritage doesn't store user passwords.
"There has been no evidence that the data in the file was ever used by the perpetrators", said Omer Deutsch, the company's chief information security officer in a blog post, adding that the company has not seen any indication that the accounts had been compromised.
The security breach, discovered by a researcher, includes all the email addresses of MyHeritage users who signed up through October 26, 2017.
The genetic analysis and family tree website MyHeritage was breached past year by unknown actors, who exfiltrated the emails and hashed passwords of all 92 million registered users of the site.
In a statement on its website, MyHeritage said it became aware of the incident on Monday, the same day of the announcement. A hacker able to decrypt the hashed passwords exposed in the breach could access personal information accessible when logging into someone's account, such as the identity of family members.
Lord & Taylor Is Closing 10 Stores Including Its Fifth Avenue Flagship
She said she reorganized management there to have experienced executives run different regions and report directly to her. The company's shares, down 12 per cent this year, were down 1.6 per cent in afternoon trading Tuesday.
The security researcher, whom MyHeritage didn't name, reported that the server didn't contain any other data related to the company.
The MyHeritage incident marks the biggest data breach of the year, and the biggest leak since last year's Equifax hack.
A security researcher contacted the company after discovering a file named "myheritage" on a private server, MyHeritage said.
MyHeritage recommends users change their passwords and said they should take advantage of a two-factor authentication feature the company plans to release soon. Credit card information isn't stored on MyHeritage, it said, but is instead stored on "trusted third-party billing providers" like BlueSnap and PayPal. "We have no reason to believe those systems have been compromised", the company said. After Deutsch was alerted, the company said its security team analyzed the file sent from the researcher and confirmed that its contents were legitimate and that the data originated from MyHeritage. Current health privacy laws outdate platforms like 23andMe and Ancestry.com, and therefore don't adequately protect genetic privacy.
A full report will likely take a while; the company is planning to hire an external security firm to look into the breach, and is working on notifying relevant authorities under USA laws and GDPR, among others.