Tuesday, July 21, 2020

Be Aware! Security/Privacy Breach at GedMatch.com, Possibly Leads to Phishing Attempt at MyHeritage.com — Big Difference in Company Handling of Situations; Also "White-Hackers" Identify Unsecured MacKiev Server, Now Fixed It is Unknown if Actual Access was Gained

Note: This post was originally published at 9:20 p.m., Tuesday, July 21, 2020. Additional information was added.

It has been a rough time for DNA and genealogy this week. How bad is it? We do not know. And things are still developing. But being aware of what has taken place and not panicking will help us get through it.

On Sunday, July 19, 2020, there were some weird things noted by users of the GEDmatch.com website so much so they contacted the website's owners. Some saw strange match kits, some saw what appeared to be hundreds of new really close matches, some noticed that they were seeing law enforcement test kits, some noticed that the settings of their kits (some previously set to non-law enforcement) were now all open to law enforcement viewing.

Some wondered if it was an update gone bad, some wondered if a security or privacy breach had occurred or was occurring. The GEDmatch website went offline several times. Eventually the company made a statement Sunday afternoon (our time) on its Facebook page and has since added a couple additional statements. At this time the last message says the website will be offline for two to three days as security is enhanced.

Exactly what was compromised is not clear. A statement last night in the 7 p.m. time range by GEDmatch (Verogen is its owner) says that all user test kits were switched to open to law enforcement viewing for at least three hours on Sunday. And, law enforcement administered kits were viewable by others too. It says that no user data was downloaded or compromised. But GEDmatch is likely still investigating what happened.

It has been three days since the breach and GEDMatch/Verogen has failed to directly contact/email GEDmatch account holders to inform ALL of its users of the situation. It has again simply relied on its GEDmatch Facebook page to make the announcement (not everyone is on Facebook) and the news page of its corporate website. We actually just learned of this incident earlier today (Tuesday.)

Earlier this evening, Tuesday, July 21, MyHeritage.com announced on its blog that a few of its MyHeritage users alerted them of a malicious phishing attempt possibly connected to the GEDmatch breach

MyHeritage.com's announcement is detailed in what was discovered, how it was discovered and the actions it quickly took to limit damages as much as possible. Actions that all took place hours before the announcement was released. Essentially some MyHeritage customers received phishing emails that lead to a fake website set up to look like the MyHeritage.com website all in attempt to gain user's login credentials -- their usernames and passwords. The fake website was set up with a Q instead of g. 

With the help of the users who reported the scam, MyHeritage suspects that the phishing scam is related to the breach at the GEDmatch.com website. According to the blog post, one user used a unique name at GEDmatch.com website that was only associated with that site and not the user's MyHeritage.com website.

MyHeritage has taken steps to get the fake website taken down from its domain and host entities.

MyHeritage is warning users of the fake email and that if it is received do not click on it just delete it. (See the MyHeritage blog for an image of the fake email.)

MyHeritage, who suspects at the very least that names and emails were stolen from GEDmatch, is also warning that GEDmatch users who uploaded DNA tests from AncestryDNA, 23andMe, FamilyTreeDNA, etc. be aware and on the alert for similar phishing emails based on these other DNA testing company websites.

As a precaution, MyHeritage has temporarily turned off the ability to export DNA data from MyHeritage. The company is also suggesting everyone update their various passwords just to be safe. Make sure they are unique so don't use the same password on multiple websites.

Now for the other security matter ...

If you have read or watched any tech-related books, movies or television shows you have probably heard of the term hacker. The simple definition is hackers use computers to gain unauthorized access to data. But various shades of hackers have developed over time. White-Hat Hackers choose to use their skills for good, or ethical reasons, and they may or may not work for companies employed to test/fix data systems for security holes or flaws, etc.

Recently, it was reported that WizCase "found a data leak affecting an open and unencrypted ElasticSearch server that belongs to Software MacKiev." The company contacted MacKiev about the leak and though it did not receive a response back from MacKiev the exposed database was immediately secured.

In this article, it reports that the mis-configured server exposed information of approximately 60,000 users (some are duplicates) and complaints sent to customer support and vulnerable data about their physical location. Reportedly exposed data included: email address, internal system user IDs, subscription type and its status, refunds (if applicable), timestamps, user location data including geolocation coordinates and cities, IP address, user support messages, technical data such as error logs.

The article reports that if cybercriminals or scammers had accessed the leak, possible threats could include spam and phishing; fraud; technical vulnerabilities; business espionage to name a few.

BUT It is important to note that the original article does not say that the Software MacKiev server was actually accessed, hacked or exploited by cybercriminals or scammers. Some subsequent posts and articles on other sites seem to give the impression that an actual incident occurred but that is not what the article states. 

Users of Family Tree Maker will not know for sure until Software MacKiev addresses the situation itself.* To do so, MacKiev will need to do a review (an autopsy of sorts) of the server access in order to determine if there was any unauthorized access of the server during the time of the server mis-configuration.

* Additional information found late tonight: Hiding in the Family Tree Maker Support pages is a very brief message called Data Security Article that acknowledges the article, assures the data is safe and promises a more detailed post will hopefully be made soon.

The exposed data mentioned above does not include usernames and passwords but if you want to error on the side of caution, perhaps you might consider changing the passwords to your Ancestry and FamilySearch accounts. Changing your passwords should be a normal routine anyways to secure your electronic life.

So, overall do not panic, stay aware and do not click on messages automatically. Look, review, question ... is a message, a link, etc. real.

See you soon at Mt. Clemens Public Library! (Some day soon.)
LE

No comments:

Post a Comment

Note: Only a member of this blog may post a comment.