Shadow profiles and my Heritage security breach

Shadow profile

I received a email from have have I been pwned that my email address and password had been exposed in breach from My Heritage.  Most breaches are somewhat worry-some but as I don’t use the same passwords because I have a password manager with lengthy random passwords; its less of a problem.

MyHeritage Statement About a Cybersecurity Incident

What was shocking about the myheritage breach for me, was that I have never logged in to or used myheritage ever. If I had an account, I would have an entry in my password manager. To confirm this I have requested my data via GDPR.

I believe a member of my large family entered my email address and then added details about me into myheritage, therefore creating a shadow profile for me to log into. It makes sense, as others in the family can fill in details they have for me. So the password which was leaked isn’t even set by me, but rather auto generated by myhertiage? The only way I could get access to the account was via a password reset. Once in I deleted my account straight away, but I thought about it some more.

The leaked/breached password and login would give the buyer access to any information my family member entered including date of birth, relationships with other members of the family, etc.

If I’m right this is deeply troubling and a worrying precedent!

Author: Ianforrester

Senior firestarter at BBC R&D, emergent technology expert and serial social geek event organiser. Can be found at cubicgarden@mas.to, cubicgarden@twit.social and cubicgarden@blacktwitter.io

One thought on “Shadow profiles and my Heritage security breach

Comments are closed.