Hacking in the Genetic Genealogy World!

There are so many security breaches and problems for us genetic genealogists to worry about these days! Why would anyone want your DNA data? I can understand wanting your credit card information, although these days those companies are quick to spot fraud. But why hack a DNA site? My DNA can tell you my eye color, blood type, and that I have no genetic diseases; but mainly it is useful for seeing who I match and finding out some information about my ethnicity. These sites do not have my social security number or birth date, plus most do not have my credit card numbers on file. Maybe it is a clever criminal wanting to know if there are any close matches to his DNA? Or a foreign country wanting to know if someone whose DNA they have is an American spy?

Hacker image from a photo  by Jefferson Santos on Unsplash

We have been suffering through several days of GEDmatch being down, due to being hacked, with no end it sight [UPDATE 25-Jul-2020: it’s back, yeah!]. I hate not being able to run some of their great tools. At least you can ask matches from Ancestry to upload to Family Tree DNA or MyHeritage in order to get the one to one comparisons.

The DNA Geek, Leah Larkin, reported that there have also been fishing emails sent pretending to be from MyHeritage where the G is replaced by a Q! So please don’t fall for any of those see https://thednageek.com/phishing-attempt-at-myheritage/

My Google News Alert had an article that claimed that Ancestry.com user information had been exposed via a cloud hack through the Family Tree Maker Software: https://siliconangle.com/2020/07/21/family-tree-maker-exposes-records-online-via-unsecured-elasticsearch-database/ However MacKeiv Software claims this is not so, and that they spotted the vulnerability before anyone was hacked: https://support.mackiev.com/349796-FAMILY-TREE-MAKER—Data-Security-Article

So I decided that having the same password at all my genealogy sites was not a good idea any more, even though I only use that password for genealogy and DNA. So I went around changing my passwords on those sites yesterday. It’s probably a good practice to change them every six months or so anyway.

Here is the email received yesterday from GEDmatch:

 

Dear GEDmatch member,

On the morning of July 19, GEDmatch experienced a security breach orchestrated through a sophisticated attack on one of our servers via an existing user account. We became aware of the situation a short time later and immediately took the site down. As a result of this breach, all user permissions were reset, making all profiles visible to all users. This was the case for approximately 3 hours. During this time, users who did not opt-in for law enforcement matching were available for law enforcement matching, and, conversely, all law enforcement profiles were made visible to GEDmatch users.

On Monday, July 20, as we continued to investigate the incident and work on a permanent solution to safeguard against threats of this nature, we discovered that the site was still vulnerable and made the decision to take the site down until such time that we can be absolutely sure that user data is protected against potential attacks. It was later confirmed that GEDmatch was the target of a second breach in which all user permissions were set to opt-out of law enforcement matching.

We can assure you that your DNA information was not compromised, as GEDmatch does not store raw DNA files on the site. When you upload your data, the information is encoded, and the raw file deleted. This is one of the ways we protect our users’ most sensitive information.

Further, we are working with a leading cybersecurity firm to conduct a comprehensive forensic review and help us implement the best possible security measures. We expect the site will be up within the next day or two.

We have reported the unauthorized access to the appropriate authorities and continue to work toward identifying the individuals responsible for this criminal act.

Today, we were informed that MyHeritage customers who are also GEDmatch users were the target of a phishing scam. Please remember to exercise caution when opening emails and clicking links. Never provide sensitive information via email. If an email seems suspicious, contact the company in question directly through the phone number or email address listed on their website, not via a reply to the suspicious email. You can reach GEDmatch at gedmatch@verogen.com or (858) 285-4101. At this time, we have no evidence to suggest the phishing scam is a result of the GEDmatch security breach this week. We are continuing to investigate the incident.

Please be assured that we take these matters very seriously. Our Number 1 responsibility is to protect the data of our users. We know we have not lived up to this responsibility this week, and we are working hard to regain your trust. We apologize for the concern and frustration this situation has caused.

Sincerely,

Brett Williams
CEO, Verogen Inc.

7 thoughts on “Hacking in the Genetic Genealogy World!

Click here to add your thoughts at the end of the comments
  1. My immediate reaction was two possibilities: 1) hackers found a vulnerability and exploited it because hackers gotta hack; or 2) more sinister, somebody objects to GEDmatch support of crime investigations and wants to cause people to not share their DNA in order to preemptively thwart law enforcement. DISCLAIMER: I’m enthralled in the HBO crime series “I’ll Be Gone in the Dark” so my headspace is leaning toward #2.

    • There could be a good reason for this as I stated one time before. The “Genetic Detective” series ( excellently done) allowed one to see the process of finding a link between family members and a “person of interest.” Now the only way to stop this process is to hack into Gedmatch, which was mentioned so many times on the series along with the company of Parabon, and the best detective in modern history. As I suggested once before, there was too much information and anyone “out there” with a history of violence, now knows he or she can be found using the DNA of others in one’s family. I do not think those responsible were trying to do the detective work that is done so well by CM, but perhaps to seek out emails of those who are linked to the possible member of the family whose past he or she is trying to keep hidden. In one interview some time back, it was asked what would be the best find or which crime was trying to be solve that meant the most. Email me and I will let you know what I think this could be linked to. It is far-fetched but it struck me from the onset of the series that this was something waiting to happen as the info was just too good. I sat in front of the TV taking notes! I loved this show. I think there are others out there who would love it as well but also want to hide their pasts which are found on Gedmatch, etc. Just a thought but I thought this from the get-go. I had a bad feeling! Kitty, you have my number. Barb

      • One irony that occurred to me after watching “The Genetic Detective” is how genetic genealogy helps level the racial playing field for solving cold cases. The CODIS database contains a disproportionate number of samples from minorities, owing to laws in many states that mandate that anybody convicted of a felony must provide a DNA sample. Obversely, a large majority of DNA profiles in the Gedmatch database come from white people of European descent, a population that is underrepresented in CODIS. Indeed, every perpetrator caught in season 1 of The Genetic Detective was white.

  2. Kitty,

    It’s very likely that most genealogy companies know what they’re doing and use secure 1-way hashed passwords that can’t be read by hackers. So your action to change passwords while prudent, may not be necessary.

    Unfortunately, the companies don’t tell us whether they do use secured passwords. But in GEDmatch’s case, it’s unlikely passwords were obtained. If they were, there would have been no reason for the hackers to set up the MyHeritage fishing site. They could and would instead have simply tried all the emails and passwords at MyHeritage, and plenty of them would have worked.

  3. I have been awaiting this blog post from my most knowledgeable distant cousin. You are a calming voice in these crazy times!♥️ But for now I think I will hold off on encouraging uploads to Gedmatch.

  4. Hacking a genealogy sight can provide hackers with answers to typical security question answers. Some might be mother’s maiden name, the city your dad grew up in, etc.

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.