> Is it customary to store other details in separate tables and have different access rights between the 2 tables?
There's more to that sentence. Outside of enterprise corporations, I've never actually seen an application database user with permissions to the user credentials table but not the rest of the tables in the database related to that application.
Agreed, if the data are from a database table, it's likely that all the tables in the database were exposed. Depends on the method of intrusion, e.g. did they get access to a database backup, access to the live database, access to something a developer carelessly left unprotected in EC2, etc.
Also their statement "We have no reason to believe that any other MyHeritage systems were compromised" is a fancy way of saying "we have no idea what happened" and equivalent in my mind to "We have no reason to believe that any other MyHeritage systems were not compromised.
There's more to that sentence. Outside of enterprise corporations, I've never actually seen an application database user with permissions to the user credentials table but not the rest of the tables in the database related to that application.