Category Archives: Tech Tips

My Heritage Suffers Data Breach

In October of 2017, MyHeritage suffered a data breach. Over 92 million customer records were exposed. This included email addresses and salted SHA-1 password hashes.

Since then, attackers have been able to crack majority of the password hashes. The list of email address and cracked passwords from the MyHeritage breach has recently come up for sale on the Dark Web.

How does this affect me?

Password reuse: Many people make the mistake of using the same password over many – or on all websites.

If you have used the same password for MyHeritage as you do for Email, Facebook, Banking, etc. An attacker can use this information to access those accounts.

What do I need to do?

Identify any service where you may have used the same password, and then request a password change. This can be done via the ‘forgot my password’ link on most websites.

Set the new password to something secure and unique. Write this down in a notebook stored securely at home, or better, use a password manager.

Two great password managers are 1Password, and KeePassXC.

Another important step in keeping secure is to use Two-Factor Authentication.

Check if you have been ‘Pwned’ is a service that allows you to see if your email or password has been seen in any data breaches where data has become public.

You can check your email at:

You can check a password at:

I highly recommend you use this free service to help keep yourself secure.

What is salted and hashed?

When you sign up to a website you are required to enter a password. The password is then converted to a hash and stored in a database.

When you log into a website, the password is converted to a hash and compared with the stored hash. If they match, you are able to log in.

If your password is grenfell, and the website is using a SHA1 hashing algorithm (as was the case with MyHeritage), it will convert the text to 3EC63D4F11F08C81B448F922A316E44E0F1628E0

This is to help slow an attacker down that may have breached the service – but it is not impossible to reverse.

Using a password cracking program called Hashcat. I was able to reverse the SHA1 hash for grenfell in under a second. This was using a brute force on all lowercase letters and numbers.

A salted SHA1 hash looks a little different. Before a password hash is created a salt is added to the password.

If your password was grenfell, and the salt was 2019, the hash would be CEE02FF760DA4C0F8887AFDFA70EEF8AE1B70BC6

You can see the difference in the hashes for the same passwords. If done correctly, each users password will have a unique salt. This means users sharing the same password will still have unique password hashes.

Because the salt was known in my example, the password can also be cracked in under a second.

The attackers who have cracked the MyHeritage password hashes have been able to do some by discovering the salt that was used. and then using this information to crack the passwords.

In cases like this, simple passwords are the first that get ‘cracked’. Of the 92,283,889 accounts that were breached on MyHeritage, 91,991,358 were eventually cracked.

This potentially means 292,531 users were using passwords strong enough to withstand the cracking attempts. Using strong passwords will help you to be in this group of people.

Google Yourself

What does the internet know about you? What have you posted on social media that is visible to everyone? Are you leaking too much data? Google Yourself – “Googling” yourself sounds like something Vanity Smurf would do in admiration of his self-image. But it is something you should do too, not because you are vain, but because it is a great way to see what information is publicly visible online.

Do a Google search for Your Name, what results do you get? I’ll wait.

This information could potentially be viewed by anyone. A stalker, a cyber-criminal, or a potential employer. The data available could lead to an unwanted altercation, your identity being stolen, or not being hired for that job because of a silly social media post.

How to Search

There are many ways to search for data on the internet. Google, which is by far the most popular search engine, is a good start. Mix it up and use Bing or DuckDuckGo as well. Different search engines will provide different results. It is a good idea to cast your net widely.

Here are some basic search terms to try:

Your Name – Without inverted commas. This will bring up search results containing ‘Your’ and ‘Name’ but not always the exact phrase.

“Your Name” – With inverted commas. This will show search results containing ‘Your Name’.

Your Name Town – Will bring up search results containing Your, Name, and Town

“Your Name” + “town” – Will bring up search results that must include ‘Your Name’ and ‘Town’ Your Name – Search for the terms on a specific website. You could use this to search for articles in your local newspaper that contain your name.

Other terms to search could be your Phone Number and Email Address. If you can find those in a Google Search, that means anyone is able to.


We live in a world where we are increasing losing our privacy.  Whether it is due to another high profile data breach, swapping privacy for monetary value (rewards cards), or just failing to keep our own social media accounts locked down. Someone else is making a living from your data. You could become a hermit, and move into the forest or you could take some steps to reclaim your privacy.


There are many variants of phishing emails that do the rounds. Often I will do a write up on a phish that look most authentic and managed to get past my spam filtering, such as in the past with NAB, Commbank, and MyGov phishing emails.

Phishing emails work by baiting the victim into clicking a link, opening an attachment, or replying with information. Phishing plays on a need of urgency. This is a trick used by the scammer to help trick the victim into taking the bait.

Links may lead to a website designed to harvest credentials for email, financial services, or other websites. Attachments may lead to malware infection, such as ransomware. Emails that ask you to reply with information may ask for personal details to use for identity fraud, or ask for credentials for online services.

Another type of phish, with a much higher success rate, is spear-phishing. This is a targeted attack, meaning the phish, is sent to one user. Before sending a spear-phishing email, an attacker will need to research the individual. The more information the attacker can gather, possibly from over sharing on social media, the higher the chance the user will take the bait.

A spear-phish is used when the attacker has a goal in mind. The goal might be to compromise the organisation in which you work. In this case the attacker will do his homework, and send you a specially crafted email. This email could appear to come from your boss, or other work colleagues. The attacker, posing as another employee, might ask for your latest password for the financial system. Or even ask you to check over the attached document. The document could contain malware allowing the attacker to infiltrate the company network.

Phishing can be very hard to protect against, but there are some steps to take:

  • Don’t act on a sense of urgency. This is a tactic used by an attacker to lower your guard and not give you time to properly analyse the request.
  • Double check the sender is legitimate. If you receive a request for sensitive information, confirm that the person you received the request from is who they say they are. Contact them via another means, i.e. via Telephone. But don’t call the number provided in the suspect email.
  • Scan links and attachments with a service such as Virus Total.
  • Ask a friend for advice. Even if the friend is not tech savvy, sometimes talking about something out loud will help you to see it is a scam.

Report a Scam

Phishing and other scams can be reported to Scam Watch.