A Security Breach Exposed More Than One Million DNA Profiles On A Major Genealogy Database
First GEDmatch, the DNA database that helped identify the Golden State Killer, was hacked. Then email addresses from its users were used in a phishing attack on another leading genealogy site.
On July 19, genealogy enthusiasts who use the website GEDmatch to upload their DNA information and find relatives to fill in their family trees got an unpleasant surprise. Suddenly, more than a million DNA profiles that had been hidden from cops using the site to find partial matches to crime scene DNA were available for police to search.
The news has undermined efforts by Verogen, the forensic genetics company that purchased GEDmatch last December, to convince users that it would protect their privacy while pursuing a business based on using genetic genealogy to help solve violent crimes.
A second alarm came on July 21, when MyHeritage, a genealogy website based in Israel, announced that some of its users had been subjected to a phishing attack to obtain their log-in details for the site — apparently targeting email addresses obtained in the attack on GEDmatch just two days before.
In a statement emailed to BuzzFeed News and posted on Facebook, Verogen explained that the sudden unmasking of GEDmatch profiles that were supposed to be hidden from law enforcement was “orchestrated through a sophisticated attack on one of our servers via an existing user account.”
“As a result of this breach, all user permissions were reset, making all profiles visible to all users. This was the case for approximately 3 hours,” the statement said. “During this time, users who did not opt in for law enforcement matching were available for law enforcement matching and, conversely, all law enforcement profiles were made visible to GEDmatch users.”
Investigative genetic genealogy exploded onto the scene in April 2018 with the arrest of Joseph James DeAngelo, alleged to be the Golden State Killer. DeAngelo pleaded guilty to 13 murders and admitted to dozens of other crimes last month. Investigators had partially matched DNA found at the scene of a 1980 double murder to profiles on GEDmatch that belonged to the perpetrator’s distant relatives. Through painstaking research, they built out family trees that eventually converged on DeAngelo.
Since then, dozens of alleged murderers and rapists have been identified in a similar way. But this has caused a big split within the world of genealogy. While some genealogists are now working with police, others argue that genetic privacy has been compromised.
GEDmatch’s solution, which followed a controversial incident in which the site bent its own rules to allow police to investigate a less serious violent assault, was that users would have to explicitly opt in for searching by law enforcement. About 280,000 out of 1.45 million profiles had been opted in before the hack, according to Verogen. Sunday’s breach changed the settings so that all 1.45 million DNA profiles were opted in for law enforcement searches.
Genealogists on both sides of this fractious debate told BuzzFeed News that they feared the new security breaches would discourage people from putting their DNA profiles online — hurting both the online genealogy community and efforts to solve cold cases.
“This is a whole new level of bad,” Leah Larkin, a genealogist in Livermore, California, who is an outspoken advocate for genetic privacy, told BuzzFeed News.
“Long term, if people decide they have less confidence in GEDmatch and it leads to more deletions of profiles, that’s not a good thing,” CeCe Moore, lead genealogist with the company Parabon NanoLabs, which works with police to solve violent crimes, told BuzzFeed News.
It’s unclear whether any unauthorized profiles were searched by law enforcement. However, Moore told BuzzFeed News that her team, which is responsible for most of the identifications of criminal suspects made through genetic genealogy so far, was offline at the time. “We didn’t see anything we shouldn’t have,” she said.
Normal service at GEDmatch had briefly resumed after the initial hack, but on July 20, Moore noticed that the permissions on all profiles had been switched again, this time blocking law enforcement searches across the entire database, but making visible profiles marked as “Research,” which are supposed to be hidden from all searches.
The site was quickly taken offline and replaced with the message: “The gedmatch site is down for maintenance - Currently No ETA.”
“We are working with a cybersecurity firm to conduct a comprehensive forensic review and help us implement the best possible security measures,” said Verogen’s statement, which was released after the second incident.
The breach is embarrassing for Verogen, which users hoped would bring a more professional approach to genetic privacy when it purchased the site seven months ago. Before Verogen, GEDmatch was founded and run by two amateur genealogy enthusiasts, Curtis Rogers and John Olson.
Still, the company statement reassured users: “No user data was downloaded or compromised.”
That conclusion was contested on July 21, when the genealogy site MyHeritage warned its customers that those with accounts at GEDmatch were being targeted by a phishing email that sent them to a fake log-in page at the domain myheritaqe.com — which replaced the “g” from MyHeritage with a “q” — to harvest their usernames and passwords.
“Because GEDmatch suffered a data breach two days ago, we suspect that this is how the perpetrators got their email addresses and names for this abuse,” MyHeritage noted in a blog post.
“[W]e have found that 16 of them have fallen victim to the website and entered their password in it. The number may be higher by now. We attempted to contact each of these users individually to warn them to change their password again and to set up Two-Factor Authentication on MyHeritage,” the company said.
Unlike GEDmatch, MyHeritage does not allow its database to be used by police. But there is no evidence that the hacks were perpetrated by rogue cops trying to subvert restrictions on law enforcement searches.
What motivated the attacks is unclear. Colleen Fitzpatrick, a genealogist and president of Identifinders International, which works with law enforcement, said she suspected that the hackers were “joyriding.”
“They see something they can disrupt and sit back and watch the news,” Fitzpatrick told BuzzFeed News.
Colleen Fitzpatrick is with Identifinders International. An earlier version of this article gave a previous affiliation.