7-21-2020 Update: Please note that information retrieved from the GEDmatch breach may be being used to send phishing emails intending to lure users into signing into a fake website set up to look like MyHeritage, but is not. If you receive an email that seems suspicious or has the title “Ethnicity Estimate v2,” do not click. Do delete that email. Please read the MyHeritage article, here. To be very clear, MyHeritage has NOT been breached, but bad actors have harvested emails and are using them to try to lure targeted MyHeritage users.
I always hate to have to report security breaches within the genealogy community, but GEDmatch not only experienced a breach over the weekend, they are still down while the situation is under investigation.
In a nutshell, for about 3 hours on Sunday, July 19th, all of the accounts, including law enforcement kits, were available in match lists for everyone. Also, kits that had been opted out of law enforcement matching were apparently, based on screen shots of their security settings taken by users who signed on during that time, also available to law enforcement in match lists.
Here are the three announcements on their Facebook page in order of posting.
The first one was posted on July 19 at 6:09 PM.
The update was posted on Monday, July 20th. GEDmatch was up for part of the day, but is now down again and will be for some time.
GEDmatch is now down again.
GEDmatch needs to stay down until an independent security firm verifies that the site is secure.
First, I’m concerned about the breach itself and if anything was compromised internally. GEDmatch (Verogen) has been transparent about this, and I have every reason to think they will continue as information becomes available.
Second, I hope Verogen, who now owns GEDmatch, is working with a professional security firm to conduct a security audit. I provided technology consulting for many years in the municipal government sector and I always encouraged my customers to engage with security professionals that challenge websites by having good hackers attempt to break in. This provides the website owner with the opportunity of discovering weaknesses and vulnerabilities before they are exploited by either opportunists or bad guys.
Third, any company that deals with our DNA, our private information and/or or credit card and financial information has an imperative to protect our data by protecting their website at the highest levels possible. And yes, this is a specialty area in technology and expensive. (Take note everyone who wonders why things can’t just be free.)
Fourth, working with law enforcement and handling law enforcement kits means that my third thought should be multiplied several times. GEDmatch’s responsibility is increased and customers, both individual and law enforcement agencies, must be able to have confidence that the company handling their data is both responsible and technically savvy enough to protect their website, and by implication, their customers’ data.
Fifth, while GEDmatch is not the first company, nor the first genealogy company to suffer a breach, this is more serious because data was actually exposed to people who were not supposed to see it, not just hacked from behind. Most hackers try to cover their tracks so companies don’t know they were hacked, if at all, until much later. The fact that this was so public suggests that the perpetrator or perpetrators were trying to harm GEDmatch, probably because of their work with law enforcement, although we won’t know until the investigation is complete. Of course, some people do things like this simply “because they can.” The goal of this hack initially does not appear to be theft of data, but of public exposure.
I’m not making any decision about the future until after I see what happens. As a consumer, all I can say right now is “we’ll see.” I would like to see an independent security firm audit and would feel much more comfortable if I know that has happened and any issues have been satisfactorily remediated.
I’ll also add that I feel incredibly badly for any company that has to deal with hacked sites and situations like this, especially when the goal seems to be to inflict harm, and the tactic will surely succeed at some level.
I receive a small contribution when you click on some of the links to vendors in my articles. This does NOT increase the price you pay but helps me to keep the lights on and this informational blog free for everyone. Please click on the links in the articles or to the vendors below if you are purchasing products or DNA testing.
Thank you so much.
DNA Purchases and Free Transfers
- FamilyTreeDNA – Y, mitochondrial and autosomal DNA testing
- MyHeritage DNA – ancestry autosomal DNA only, not health
- MyHeritage DNA plus Health
- MyHeritage FREE DNA file upload – transfer your results from other vendors free
- AncestryDNA – autosomal DNA only
- 23andMe Ancestry – autosomal DNA only, no Health
- 23andMe Ancestry Plus Health
Genealogy Products and Services
- MyHeritage FREE Tree Builder – genealogy software for your computer
- MyHeritage Subscription with Free Trial
- Legacy Family Tree Webinars – genealogy and DNA classes, subscription-based, some free
- Legacy Family Tree Software – genealogy software for your computer
- Charting Companion – Charts and Reports to use with your genealogy software or FamilySearch
- Legacy Tree Genealogists – professional genealogy research
Fun DNA Stuff
- Celebrate DNA – customized DNA themed t-shirts, bags and other items