July 2020 has been a bad month for security hacks and breaches in the world of genealogy and DNA testing websites.
On 19th July 2020, GEDmatch (owned by Verogen) announced a security breach on their Facebook page. They took their website down to address the issues, and it is still down at the time of writing. A major tech website has also reported on the events.
On 20th July, MyHeritage announced that some of their users had been targeted with a phishing scam. Specifically, these users also had a GEDmatch account.
In an unrelated incident on the same day, a security investigation firm discovered an exposed server owned by the company that maintains Family Tree Maker (a genealogy application also known as FTM). The server has since been secured.
TLDR; are you at risk right now?
I’ll go into the background and details in the rest of this article, but let’s get to the meat first.
The latest announcement from GEDmatch maintains that the breach did not include raw DNA. I’ve no reason to doubt this.
They stated in an early announcement that “no user data was downloaded or compromised.” They have removed this blanket statement from a later announcement. The safest position for GEDmatch users is to assume that usernames, emails, and passwords are compromised. The site is currently down so you cannot log in to change your password.
However, if you use a similar email and password on any other DNA site, such as Ancestry, I advise that you change your password elsewhere.
MyHeritage users with GEDmatch accounts should carefully examine emails sent from what appears to be MyHeritage itself. In particular, be cautious of links.
MyHeritage have reported that several users fell for the phishing scam that used a fake website mimicking the official site. The fraudulent website has been taken down, but it’s possible that more phishing emails could target GEDmatch users who also use Ancestry, FTDNA, and the other DNA sites. This article by Roberta Estes has a good rundown of how to check emails to avoid phishing scams.
Ancestry Members who use Family Tree Maker
The data breach may have exposed emails but not passwords of 60 thousand users of the FTM software. It appears to be users who submitted complaints or support tickets, although we can’t be sure as MacKiev (the company behind the software) have not issued an announcement.
In contrast, and to their credit, Ancestry have issued a notice on their blog. They are confident that their own systems have not been breached, but recommend FTM users change their password as a matter of good practice.
From the information gleaned by the independent security firm, it seems that passwords were not exposed. But as email addresses were exposed, I’d advise vigilance for any phishing attempts.
So that’s the summary. Read on if you want more detailed analysis of events.
The GEDmatch Security Breach
What had actually happened with GEDmatch? This was a serious attack on several levels. Many hackers just grab emails, sell them on the dark web, and move on to look for the next vulnerability. But in this case, the hackers got into the GEDmatch system and reset all user privacy permissions.
If a user had set their profile to be private, it was now visible to all other GEDmatch users. More specifically, if a user had not opted into the GEDmatch law enforcement assistance program, their DNA kits were suddenly now available to law enforcement agencies using the GEDmatch service.
GEDmatch took the website down for a few hours, and brought it back up when they believed they’d fixed the security issue. Then there was a second breach. Bizarrely, this one did the opposite of what had happened before. It opted all users OUT of the law enforcement feature.
What is the GEDmatch law enforcement feature?
What’s this law enforcement program? This is very specific to GEDmatch. Back in 2018, I touched on how the FBI had used GEDmatch to help catch the Golden State Killer.
That simply increased the debate around whether DNA testing companies should give easy data access to law enforcement agencies. Ancestry’s position is that each and every request requires legal process. In contrast, GEDmatch introduced an opt-in policy in 2019. Users can choose to make their DNA kits available for use by law enforcement in the same way that we use the service ourselves i.e. chromosomes can be examined and DNA matches can be reviewed.
So when this breach was first reported, there was speculation that the motives were some sort of protest hacking to embarrass GEDmatch into changing their law enforcement policies. If you framed this in a certain way, it could almost be seen as good-guy crusader hackers fighting the Orwellian machine. But then things got a lot simpler, as far I’m concerned. Events brought this back to the usual grubby motives behind most hacks. I’m referring to the subsequent phishing attacks targeting MyHeritage users with GEDmatch accounts.
The Phishing Scam that targeted MyHeritage
On 20th July 2020, one day after the GEDmatch breach, a phishing domain was registered anonymously with GoDaddy, the giant domain service. The domain name was MyHeritaqe.com. The website itself was hosted on Microsoft’s Azure platform.
Wait, you say. How can someone register an existing domain? It’s not what your eyes are telling you. Notice there is a Q instead of a G in myheritaQe.com? A classic phishing trick.
Emails were sent to some MyHeritage users, trying to trick them into going to this fake website and attempting to log in with their usual details. Thankfully, some noticed the scam and reported it to MyHeritage. Unfortunately, some did enter their passwords into the fake website.
On 21st July 2020, MyHeritage announced the scam on their blog. MyHeritage points the finger at the GEDmatch breach. Well actually, they couch it a little carefully: “Because GEDmatch suffered a data breach two days ago, we suspect that is how the perpetrators got their email addresses and names”.
MyHeritage also notified GoDaddy (the domain provider) and Microsoft (the hosting service). Microsoft took down the website on the same day.
A worrying degree of sophistication
Many phishing emails stand out through their incompetence. Poor spelling, bad grammar, irrelevant details: we can spot them a mile away. But this MyHeritage email was crafted carefully by someone familiar with DNA testing.
The subject line was “Ethnicity Estimate V2”. That is a very plausible topic for any DNA site to send out. The message body has complex phrasing with perfect grammar. Here’s a screenshot which captures the text and the clickable button:
In case I was giving the hackers too much credit, I googled the phrase “from Uzbekistan to Fiji and from Greenland to South Africa”. I wanted to see if they’d just copied the text from a genuine DNA website. But I can’t find it anywhere.
Where this falls down is with the text on the clickable button: “Review DNA Match”. That doesn’t make sense in the context of the message. I’d say two different people put this together, and the graphics guy messed up.
Should other DNA site users be concerned?
MyHeritage is one of the smaller sites, compared to Ancestry and 23andMe. So why would hackers go after their users, if they also have the emails of GEDmatch accounts with kits from those two big beasts?
Perhaps it was a test run to check how effective the scam might be. Unfortunately, MyHeritage has determined that at least 16 people fell for it. That could be enough for a rinse-and-repeat targeting other DNA sites. Be vigilant!
GEDMatch and the “Shaggy” Defence: “it wasn’t me!”
The MyHeritage blog goes into detail as to why they “suspect” that the phishing attempt was based on the GEDmatch data breach.
- Every email recipient they found have GEDmatch accounts.
- One receiver used a name on GEDmatch that they didn’t use on MyHeritage. The email referred to his GEDmatch name.
Just to back up point number two, a Facebook user reports this:
I got a phishing email for each Gedmatch kit I manage addressed to the full name as recorded on Gedmatch. I know Gedmatch is the source of this issue because I used Irish surname spellings on MyHeritage and English spellings on Gedmatch for 2 of the kits.
(What’s this Irish/English surname business? Many Irish people use the Gaelic version of their names in some circumstances and the anglicized versions in others).
At the time of writing this article, GEDmatch is maintaining that the MyHeritage attack has nothing to do with them. Their Facebook announcement of 22nd July states “At this time, we have no evidence to suggest the phishing scam is a result of the GEDmatch security breach this week.”
I’ve read through their Facebook page comments, and their users keep mentioning the MyHeritage phishing scam. A GEDmatch admin replies repeatedly that they have no evidence at this time that the incident was related.
I’ve got Shaggy singing in my head. “It wasn’t me!” And I don’t mean Scooby Doo’s friend. I’m referring to this smooth guy, who definitely did not fool around with anybody’s girlfriend, no way.
Well, I’m convinced that the incidents are related and will remain so until further facts emerge to suggest otherwise. If that happens, I will come back and edit this article.
My take on the actions of GEDMatch and MyHeritage
Both companies have reported the breaches publicly and to the authorities in a timely fashion. Both are clearly taking steps to increase security of their systems.
It looks like MyHeritage does not bear any responsibility for breach of emails, but they’ve taken steps to follow up with at-risk customers. I’m pleased with their vigilance and effort.
GEDmatch/Verogen is another matter. I’ve got a GEDmatch account and have occasionally paid for their extra offerings (called tier one services). I don’t hang out on the GEDmatch FB page, and I didn’t see their announcement. It was brought to my attention by an online acquaintance who thought I would be interested (thank you, sir).
Judging by comments on Facebook, many of their users received an email reporting the breach. I’ve searched my inbox and junk folder, and I’ve got nothing. This omission is also reported by several people on their Facebook page.
If you say it, do it!
To be clear, GEDmatch is still in compliance with GDPR here. They are not obliged to inform users if they do not believe those users are put at risk by the breach. However, one of their FB announcements started with: “The following message is going out to customers via email.” So, why say it if you don’t follow through?
One Facebook member commented about this, and the Facebook administrator said: “Securing the site and investigating the incident has taken precedence during this time. An email to users is forthcoming. ” The salty reply was “If you can post on Facebook then you can send out an email.” That had me chuckling.
According to wiki, GEDmatch has 1.2 million DNA profiles. Relatively speaking, that’s not a massive volume. If Verogen was prepared to pay an appropriate service, they could email every address without taxing their own servers or their own tech professionals. Again, I know they’re not obliged to do this. But they’ve reported the intent. Is that for PR purposes?
The other argument is that this is a fast-breaking situation, and GEDmatch is still investigating the impact. I’ve already noted how they removed their initial blanket statement that no user data had been compromised. There may be ten lawyers in a room still arguing what would go into the email.
Personally, I think they should have sent an email advising people of a security breach and to change their passwords on other DNA sites if they use the same password on GEDmatch. Finish with “See our Facebook page for latest updates”. That simple.
What about the other DNA sites?
These breaches in 2020 for GEDmatch and MyHeritage are not the only security issues for DNA sites. In fact, MyHeritage has had problems in the past. So has Ancestry.
But first, let’s deal with the perfect storm of July 2020: the fact that GEDMatch and MyHeritage are joined by MacKiev, who maintain the Family Tree Maker software.
Family Tree Maker and Ancestry
Family Tree Maker is a desktop genealogy application that can hook up to Ancestry family trees. The software was owned by Ancestry at one time, but they sold it to MacKiev who currently maintain it.
On 20th July, a security firm called WizCase discovered MacKiev had left one of their data servers in an open and unencrypted state. WizCase uses “white-hat” hackers to search for security breaches and vulnerabilities in corporate servers.
A well-known vulnerability
This particular breach has become increasingly well known, and there have been many recent breaches elsewhere. Even Microsoft have been exposed as recently as December 2019. It involves the inadequate deployment of the search software known as Elasticsearch. The exposure problems have been highly publicized in technical articles, and you can be sure that black-hat hackers are scanning the web for potential targets.
The exposed data
In the case of MacKiev, the white-hat hackers were able to obtain customer’s personal data including email addresses and detailed geographical location. WizCase have published an image of a page of data that is clearly viewable. It appears to be customer support tickets, and it looks like passwords were not included.
As this breach was uncovered by security investigators, it does not mean that hackers also got hold of this data. Presumably, MacKiev’s own investigations have determined this to be the case. They would be able to examine server access logs, and presumably have only seen the security firm as an external access points. We don’t know as they have not released a public comment or notified users of a breach.
In contrast, Ancestry released a public statement on their blog. It’s a short statement and this is the critical part:
Based on our investigation, we do not believe that any Ancestry systems or data have been compromised. The Ancestry-Family Tree Maker sync uses OAuth2, a widely- used authentication protocol to provide Family Tree Maker permission to access Ancestry resources without exposing user passwords.Ancestry Blog 22 July 2020
I’ve also configured the security protocol they mention (OAuth2) – and yes, that would ensure passwords are not exposed.
But that still leaves emails that were exposed alongside detailed geographic locations down to the postal code. Again, I say exposed, but there is no evidence that black-hat hackers found the exposure.
Ancestry’s blog post advises FTM users to change their passwords as a matter of good practice. I’m more inclined to advise the software users to be vigilant for phishing emails.
My take on how MacKiev and Ancestry handled this
The security firm say that MacKiev fixed the problem soon after they were notified. There’s some brownie points.
But I have not seen any public notification from MacKiev. Now, they’re not obliged to go public if customer data was not shown to be breached by ill-meaning parties. I think that once Ancestry went public, it’s not a good look for MacKiev and Family Tree Maker to keep it quiet.
In contrast, I’m pleased that Ancestry made a public announcement, when they didn’t have to do so. I do wonder at the potential impact on relations between Ancestry and MacKiev, and the implications for the future of Family Tree Maker.
When Ancestry owned the software, they tried to discontinue it completely in 2015. There was a lot of protest from loyal users. This seems to have persuaded the DNA giant to sell it instead and allow the software to continue with special access to Ancestry systems. I’ll be keeping an eye out for any negative developments there.
Data versus DNA breaches
During an online discussion of the implications of the GEDmatch breach, one wag opined that we’d all be cloned! I think he was joking.
These three incidents did not involve exposure to our DNA. The one that might worry you is the GEDmatch breach. But our DNA kits are encrypted on the GEDmatch servers, and what we uploaded is removed. Verogen is keen to emphasize this, and it’s a fair point.
I think our emails are far more valuable to these types of hackers, anyway. Genealogy enthusiasts tend to spend disposable income in the form of subscriptions or research services. That’s a desirable target.