Hackers target DNA profiles on major genealogy databases

Fishing hook attached to an "at" symbol

On July 19, users of the genealogy website GEDmatch were met by an unpleasant surprise when they logged in to the website. More than 1 million DNA profiles that were previously hidden from law enforcement were now available for police to search. Then, on July 21, MyHeritage announced some of its users were subjected to a phishing attack targeting their login credentials for the site. Email addresses targeted in the attack were the same ones stolen in the GEDmatch attack just two days earlier.

News of the breach comes months after Verogen purchased GEDmatch. At the time of the acquisition, Verogen told GEDmatch users it would protect their privacy but would also use genealogy to assist in solving violent crimes. Users who wished to remain anonymous could opt out of submitting their genetic information to law enforcement.

These safeguards failed during the have. According to GEDmatch, the data breach resulted in all user accounts being reset and making them visible to all GEDmatch users and law enforcement for about three hours.

“As a result of this breach, all user permissions were reset, making all profiles visible to all users. This was the case for approximately 3 hours,” the statement reads. “During this time, users who did not opt in for law enforcement matching were available for law enforcement matching and, conversely, all law enforcement profiles were made visible to GEDmatch users.”

Service at GEDmatch briefly resumed after the initial breach, but the site has since been taken offline and replaced with the message that reads, “The GEDmatch site is down for maintenance - Currently No ETA.”

In a statement, Verogen further explained, “We are working with a cybersecurity firm to conduct a comprehensive forensic review and help us implement the best possible security measures.” Verogen has also reported the hack to the authorities.

Though Verogen reassured its users that no user data was downloaded or compromised during the breach, this claim came into question on July 21 when MyHeritage warned its customers they may be targeted by an email phishing campaign. According to MyHeritage, the hackers got the users’ email addresses from the GEDmatch hack.

The MyHeritage phishing campaign included a phishing email that sent users to a fake login page at the domain myheritaqe.com. This page was designed to harvest their usernames and passwords.

In a blog post, MyHeritage explained, “We suspect that the data breach on GEDmatch may have included theft of GEDmatch’s user database (at least email addresses and names of customers, perhaps more) and the perpetrators then proceeded to launch a phishing attack against those users from GEDmatch who are using MyHeritage, by sending them a phishing email to try to collect their passwords. It’s possible that the perpetrators did not retrieve the user database in the current breach but had it in their possession from an earlier intrusion into GEDmatch.”

According to MyHeritage, hackers lured 105 users to the fake website. Of those users, 16 were duped by the website and entered their login credentials.

What motivated these attacks remains unclear. Genealogists say they fear the security breaches may discourage individuals from putting their DNA profiles online, which could negatively impact the online genealogy community and efforts to solve cold cases.