Follow up from MyHeritage GDPR request

Shadow profile
I got this from MyHeritage today… after submitting my GDPR request to them to find out the history of my account.
We apologize for this breach and the fact that your email address might have been part of it. The email addresses were included in the breach along with a hashed password – not the actual password (which has been expired and can no longer be used to access the account on MyHeritage). Other than this, there has not been a violation of the data. See our official statement here and an updated statement here.

Please be advised that this incident does not affect the privacy of any sensitive information you have on your online family site, including DNA information and family trees. Only hashed versions of passwords were stolen, which means they cannot be used to log in to your private account on MyHeritage.

There has been no evidence that the stolen information was ever used by the perpetrators. Since Oct 26, 2017 (the date of the breach) and the present we have not seen any activity indicating that any MyHeritage accounts had been compromised.

The privacy and the security of your information is our highest priority and we continually assess our procedures and policies and seek the best methods to secure information. The work on adding two-factor authentication to MyHeritage is completed and you can read the full explanation about this feature here.

In addition to that, I have carried out a search within our system, and I was not able to locate an account using your email address: **********************************

If you had an account using this email address and the account was deleted, we currently do not retain any information from your registered account and therefore, I cannot provide you with any information regarding it as it no longer exists.

However, if you registered to MyHeritage using another email address, please let me know with which so I will be able to locate it. In addition to that, as an extra security measure, if you still have access to this email address would you please be so kind to send us an email using that address?

If you run into any further issues, by all means, please don’t hesitate to reply. I’m here for you.

MyHeritage Support team

Maybe I deleted my account too soon, unfortunately giving them a easy out. I should have done the GDPR request then deleted my account afterwards! I was looking forward seeing proof the account was a shadow profile

Shadow profiles and my Heritage security breach

Shadow profile

I received a email from have have I been pwned that my email address and password had been exposed in breach from My Heritage.  Most breaches are somewhat worry-some but as I don’t use the same passwords because I have a password manager with lengthy random passwords; its less of a problem.

MyHeritage Statement About a Cybersecurity Incident

What was shocking about the myheritage breach for me, was that I have never logged in to or used myheritage ever. If I had an account, I would have an entry in my password manager. To confirm this I have requested my data via GDPR.

I believe a member of my large family entered my email address and then added details about me into myheritage, therefore creating a shadow profile for me to log into. It makes sense, as others in the family can fill in details they have for me. So the password which was leaked isn’t even set by me, but rather auto generated by myhertiage? The only way I could get access to the account was via a password reset. Once in I deleted my account straight away, but I thought about it some more.

The leaked/breached password and login would give the buyer access to any information my family member entered including date of birth, relationships with other members of the family, etc.

If I’m right this is deeply troubling and a worrying precedent!