The company said the breach occurred on October 26, 2017. But the service did not learn about the incident until Monday, more than seven months later.
"There has been no evidence that the data in the file was ever used by the perpetrators," the company said.
No other information, except for the email addresses and hashed passwords, was exposed, MyHeritage said. The company said that it does not store customer credit card information. Sensitive data such as DNA information and family trees are stored on systems that are separate from those that contain email addresses, the company said. "We have no reason to believe those systems have been compromised."
MyHeritage learned of the breach only after the researcher, who was not named, contacted the company's chief information security officer, Omer Deutsch. After Deutsch was alerted, the company said its security team analyzed the file sent from the researcher and confirmed that its contents were legitimate and that the data originated from MyHeritage.
The company did not explain in the announcement how the breach occurred or why it never detected the intrusion. MyHeritage spokesman Rafi Mendelsohn said in an email to The Washington Post, "We are investigating that right now and aim to have an update in the next few days."
MyHeritage said it is "taking immediate steps" to hire an independent cybersecurity firm to investigate the breach and determine its scope.
The company has set up a 24/7 support team to field questions from customers.
MyHeritage is the latest company in a seemingly endless string of data breaches. Ticketfly, the concert-ticketing company, recently said that customer information was compromised including names, addresses, emails and phone numbers after a hacker reportedly took control of the site. And last month, the company behind Chili's restaurants announced that customers' payment information may have been exposed in a malware attack.
The barrage of data breaches highlights the heightened risks of identity theft and the continued vulnerabilities presented by databases of customer information and mobile apps.
MyHeritage customers are among the millions of Americans who have bought into the new market for consumer genealogy, sending spit-filled tubes or cheek swabs to DNA-testing websites that offer to help them discover their family history. Popularized by companies such as 23andMe and Ancestry.com, the testing and analysis of ancestry data has also raised questions in recent weeks over the potential misuse of such sensitive information.
This year, authorities said they were able to link a suspect to a string of crimes by using a genealogy service to trace the genetic material to one man they said killed at least a dozen people. That case has raised concerns about the implications of creating new troves of sensitive information that can be used against people who have not consented to having their genetic information tested.