Tuesday, July 21, 2020

A Hack and a Data Leak in Two Major Genealogy Web Sites - Updated July 22, 2020

If you use Family Tree Maker, currently owned by MacKiev and use it to sync your genealogy database to and from Ancestry's servers, change your password immediately! The headline reads like the main Ancestry.com web site was hacked but according to information security website HackRead.com, it was a a misconfigured server that held a "database [which] contained around 25GB worth of data belonging to 'The Software MacKiev Company,' which syncs Ancestry.com’s user data." Among the data that was left in the open for anyone to download were users IP addresses, date and time of users' access, email addresses, messages exchanged with support, internal system user IDs, subscription type and status and user location data such as city and GPS coordinates. This affects approximately 60,000 users. They don't know whether or not any malicious actors got a hold of the data but they can't prove they didn't. You need to assume your username and password are compromised and act accordingly.


So, if you sync the Family Tree Maker program with your Ancestry tree, change your password immediately. In addition, if you use this same password anywhere else, change it in all locations and, going forward, don't use the same password on multiple web sites.

This demonstrates why no company should "go to the cloud" without first having a thorough understanding of cloud security and ensuring a server is configured securely right out of the gate. They should not spin up a server and then lock it down as they see the need. All servers should be built with zero access, then allow the access as needed for the functionality that is needed. In the end, we, the users, pay the price for negligent companies.

In addition, GEDMatch had an actual hack compromise their web site, resetting the privacy of all data on the site to public so anyone could see any private or research only DNA kits, law enforcement could see data for kits that had opted out of law enforcement sharing and users could see law enforcement kits. No username/password combinations or actual DNA data were downloaded. GEDMatch remains down while they thoroughly review their security before bringing it back online. They had previously brought it back up for a short time but took it down quickly when they discovered continued problems.

Here is the full post by Verogen in the Facebook GEDMatch User Group:

On the morning of July 19, GEDmatch experienced a security breach orchestrated through a sophisticated attack on one of our servers via an existing user account. We became aware of the situation a short time later and immediately took the site down. As a result of this breach, all user permissions were reset, making all profiles visible to all users. This was the case for approximately 3 hours. During this time, users who did not opt in for law enforcement matching were available for law enforcement matching and, conversely, all law enforcement profiles were made visible to GEDmatch users.
This was the extent of the breach. No user data was downloaded or compromised.
We have reported the unauthorized access to the appropriate authorities and continue to work toward identifying the individuals responsible for this violation.
Today, as we continued to investigate the incident and work on a permanent solution to safeguard against threats of this nature, we discovered that the site was still vulnerable and made the decision to take the site down until such time that we can be absolutely sure that user data is protected against potential attacks. We are working with a cybersecurity firm to conduct a comprehensive forensic review and help us implement the best possible security measures.
This is clearly disappointing for our company, as user privacy and data security are our top priorities. We apologize to our GEDmatch users and our law enforcement customers for the concern and frustration this situation has caused.
Thank you for your continued support of GEDmatch.
If you have questions, please reach out to us at gedmatch@verogen.com. We will update you as soon as we have more information to share.
Everyone that uses a computer should have at least a basic understanding of information security in order to keep themselves safe. It may come as a surprise, but there is little a malicious actor could do with your actual DNA data. However, with usernames, passwords, email addresses and potentially confidential information in genealogy databases, a lot of harm could result. Change your passwords often. Don't use the same password at multiple sites. Assume any email you receive requesting that you sign on to a web site is a hacker trying to get your password. If you receive one of these, go to the web site using a bookmark you already have or by typing the address into the browser Assume the link in the email is malicious.

---UPDATE---

At least one phishing campaign has been found likely using data stolen during the GEDMatch hack. Emails are being sent to MyHeritage users with the subject line “Ethnicity Estimate v2”. The phish is particularly convincing because they are using the domain myheritaqe.com and on some systems, especially smart phones, the "q" looks very much like a "g". Read more about it on MyHeritage.

I don't expect this will be the last phishing campaign resulting from this hack. Be aware and don't click links in emails! Part of my regular day job is getting users to not click links in emails, testing malicious links to see what they do and cleaning up problems that occur after users click links in emails. Trust me on this. DON'T CLICK LINKS IN EMAILS!

--Matt

No comments:

Post a Comment