[plodman]

Forgive my ignorance on the subject but why would there only be usernames and passwords in this file? Is it customary to store other details in separate tables and have different access rights between the 2 tables?

Or did the perpetrators just pull login details as it’s the only useful information?

[hugh4life]

"Is it customary to store other details in separate tables"

It's quite common to store just what's needed for logins in it's own table.

[heartbreak]

> Is it customary to store other details in separate tables and have different access rights between the 2 tables?

There's more to that sentence. Outside of enterprise corporations, I've never actually seen an application database user with permissions to the user credentials table but not the rest of the tables in the database related to that application.

[ams6110]

Agreed, if the data are from a database table, it's likely that all the tables in the database were exposed. Depends on the method of intrusion, e.g. did they get access to a database backup, access to the live database, access to something a developer carelessly left unprotected in EC2, etc.

Also their statement "We have no reason to believe that any other MyHeritage systems were compromised" is a fancy way of saying "we have no idea what happened" and equivalent in my mind to "We have no reason to believe that any other MyHeritage systems were not compromised.

[hundchenkatze]

According to the Security Now podcast the information was/is separate.

"The good news is there are apparently three entirely separate databases. There is the user login account database. There is the financial credit card charging-people-for-the-service database. And also, separate from either of those two, is the genealogy we've-got-your-DNA-that-you-uploaded-to-us database."

https://www.grc.com/sn/sn-667.htm

[Cthulhu_]

If my recent projects are anything to go by where they pushed for a microservices architecture, authentication and user information beyond usernames / passwords / permissions are two separate domains, and thus stored in separate systems (and databases).