GEDmatch Security Breach

7-21-2020 Update: Please note that information retrieved from the GEDmatch breach may be being used to send phishing emails intending to lure users into signing into a fake website set up to look like MyHeritage, but is not. If you receive an email that seems suspicious or has the title “Ethnicity Estimate v2,” do not click. Do delete that email. Please read the MyHeritage article, here. To be very clear, MyHeritage has NOT been breached, but bad actors have harvested emails and are using them to try to lure targeted MyHeritage users.

Original article:

I always hate to have to report security breaches within the genealogy community, but GEDmatch not only experienced a breach over the weekend, they are still down while the situation is under investigation.

In a nutshell, for about 3 hours on Sunday, July 19th, all of the accounts, including law enforcement kits, were available in match lists for everyone. Also, kits that had been opted out of law enforcement matching were apparently, based on screen shots of their security settings taken by users who signed on during that time, also available to law enforcement in match lists.

Here are the three announcements on their Facebook page in order of posting.

The first one was posted on July 19 at 6:09 PM.

Gedmatch breach 4

The update was posted on Monday, July 20th. GEDmatch was up for part of the day, but is now down again and will be for some time.

Gedmatch breach 3.png

GEDmatch is now down again.

GEdmatch breach 2

GEDmatch needs to stay down until an independent security firm verifies that the site is secure.

Thoughts

First, I’m concerned about the breach itself and if anything was compromised internally. GEDmatch (Verogen) has been transparent about this, and I have every reason to think they will continue as information becomes available.

Second, I hope Verogen, who now owns GEDmatch, is working with a professional security firm to conduct a security audit. I provided technology consulting for many years in the municipal government sector and I always encouraged my customers to engage with security professionals that challenge websites by having good hackers attempt to break in. This provides the website owner with the opportunity of discovering weaknesses and vulnerabilities before they are exploited by either opportunists or bad guys.

Third, any company that deals with our DNA, our private information and/or or credit card and financial information has an imperative to protect our data by protecting their website at the highest levels possible. And yes, this is a specialty area in technology and expensive. (Take note everyone who wonders why things can’t just be free.)

Fourth, working with law enforcement and handling law enforcement kits means that my third thought should be multiplied several times. GEDmatch’s responsibility is increased and customers, both individual and law enforcement agencies, must be able to have confidence that the company handling their data is both responsible and technically savvy enough to protect their website, and by implication, their customers’ data.

Fifth, while GEDmatch is not the first company, nor the first genealogy company to suffer a breach, this is more serious because data was actually exposed to people who were not supposed to see it, not just hacked from behind. Most hackers try to cover their tracks so companies don’t know they were hacked, if at all, until much later. The fact that this was so public suggests that the perpetrator or perpetrators were trying to harm GEDmatch, probably because of their work with law enforcement, although we won’t know until the investigation is complete. Of course, some people do things like this simply “because they can.” The goal of this hack initially does not appear to be theft of data, but of public exposure.

The Future

I’m not making any decision about the future until after I see what happens. As a consumer, all I can say right now is “we’ll see.” I would like to see an independent security firm audit and would feel much more comfortable if I know that has happened and any issues have been satisfactorily remediated.

I’ll also add that I feel incredibly badly for any company that has to deal with hacked sites and situations like this, especially when the goal seems to be to inflict harm, and the tactic will surely succeed at some level.

_____________________________________________________________

Disclosure

I receive a small contribution when you click on some of the links to vendors in my articles. This does NOT increase the price you pay but helps me to keep the lights on and this informational blog free for everyone. Please click on the links in the articles or to the vendors below if you are purchasing products or DNA testing.

Thank you so much.

DNA Purchases and Free Transfers

Genealogy Products and Services

Genealogy Research

Fun DNA Stuff

  • Celebrate DNA – customized DNA themed t-shirts, bags and other items

18 thoughts on “GEDmatch Security Breach

  1. My assumption is that law enforcement always has access to all of the data no matter what your settings are. Maybe they had a “breach” to help them with some legal or political situation they found themselves in.

    • Only kits matching a specific kit. And a snapshot of something available already to matches would have no value.

  2. I am sure that there are those who would be worried. Because they did not cover their tracks, they did this to exploit the police use aspect. I manage a lot of peoples accounts, when the police use question came up I asked everyone if they wanted me to “hide” their info. They all opted in for police use. So this does not bother me as much as it would others. Thank you so much for being on the ball with notifying us. I myself haven’t signed in in a couple of weeks.

  3. Gedmatch posted on their FB site a full explanation (as far as they know), said they were working with a security firm, and that the site will be down for 2-3 days.

  4. 7-21-2020 Important Update: Please note that information retrieved from the GEDmatch breach may be being used to send phishing emails intending to lure users into signing into a fake website set up to look like MyHeritage, but is not. If you receive an email that seems suspicious or has the title “Ethnicity Estimate v2,” do not click. Do delete that email. Please read the MyHeritage article, here. To be very clear, MyHeritage has NOT been breached, but bad actors have harvested emails and are using them to try to lure targeted MyHeritage users.

  5. LE can use my data anytime. In fact, I will help them find my relative if he/she is a bad guy. I will not protect anyone who has done a really bad thing, relative or not.

    And we must not forget, LE is searching for the “worst of the worst,” not people who spit on the street, or jaywalkers.

    We have a social responsibility.

  6. Well I definitely have lost confidence in GEDMATCH now…as soon as comes back up if it does…I am going to remove the 2 kits that are there. Since finding this out I have lost faith. I only put to GEDMATCH because of research and nothing more. I have never been keen on the idea of Law Enforcement have any access to genetic genealogy sites to begin with. Especially when they can force a site to give up information by slapping a warrant down and saying you do it or else. It is now obvious that privacy policy they have is not up to par now. My concerns about this maybe not right to others but now I feel like I have been put in a position that I do not like…sorry GEDMATCH I am done with this. Until such time that they can get answers to why this happened and what they intend to do to fix this…I am not going to return back.
    I am glad you wrote about this Roberta…definitely you have given me alot to think about this issue, because I definitely have issues with this and going forward I do not even want to think about the outcome that this is going to cause…definitely going to be consequences from it definitely. Great article and thanks for writing it.

  7. Thanks Roberta. Anyone who knows GG – and anyone who watched CeCe Moore’s ABC series “The Genetic Detective” – knows GEDmatch can help put violent criminals in jail when years of solid police work has failed. I think we should be shouting from the rooftops for people to join and opt-in to law enforcement.

    But it’s much easier to see the flip side – where Verogen says it just isn’t worth maintaining GEDmatch because of headaches like this. I’m amazed Curtis Rodgers was able to do it.

    I’m grateful to him and to John Olson for this amazing tool. Let’s hope it can continue.

  8. Maybe this hacker is doing this to make police look bad?

    However, our state has had breaches recently. One was a hacker trying to defraud the unemployment system. Caused a delay in processing legitimate claims but the state had both law enforcement and an independent security company in to catch the crook and also secure the system to make it operational.again.

    Bad guys are taking advantage of the crisis in more ways than one!

  9. “The fact that this was so public suggests that the perpetrator or perpetrators were trying to harm GEDmatch, probably because of their work with law enforcement, although we won’t know until the investigation is complete. Of course, some people do things like this simply ‘because they can.’ The goal of this hack initially does not appear to be theft of data, but of public exposure.”

    I suspected as much. I hope they get to the bottom of this.

Leave a Reply to Caith Cancel reply