SAN FRANCISCO (CBS SF) – A massive security breach forced GEDmatch to shut down its site and exposed the DNA profiles of more than a million people who use the online service to law enforcement agencies.
GEDmatch described it as a “sophisticated attack” on its servers through a user account. Wednesday morning, members were greeted with a letter describing a 3-hour breach and temporary shutdown on July 19, and the discovery of a vulnerability on July 20 that forced the site to shut down.
“We discovered that the site was still vulnerable and made the decision to take the site down until such time that we can be absolutely sure that user data is protected against potential attacks,” said Brett Williams, CEO of GEDmatch’s parent company Verogen Inc. in a letter. “It was later confirmed that GEDmatch was the target of a second breach in which all user permissions were set to opt-out of law enforcement matching.”
Forensic genomics company Verogen Inc., based in California, acquired GEDmatch in December 2019. Members were advised of the partnership and given a chance to opt-out of sharing their DNA profiles with police and other law enforcement agencies.
As of 2019, more than 1.2 million people have used the free service to upload data profiles from different DNA testing companies such as Ancestry and 23andme, and compare their autosomal DNA data files with others. The service has become a huge help for genealogists and people seeking to build their family trees by allowing one-to-one, one-to-many X-DNA comparisons and other useful matrices.
“We can assure you that your DNA information was not compromised, as GEDmatch does not store raw DNA files on the site,” said Williams. “When you upload your data, the information is encoded, and the raw file deleted. This is one of the ways we protect our users’ most sensitive information.”
Williams said users who also used MyHeritage, another genealogy website, were targeted by a phishing scam.
“We have reported the unauthorized access to the appropriate authorities and continue to work toward identifying the individuals responsible for this criminal act,” said Williams.
GEDmatch recently made headlines when it helped investigators identify Joseph James DeAngelo, also known as the Golden State Killer, in California.
On Wednesday, anyone who attempted to access the Gedmatch.com was greeted by a page saying, “The gedmatch site is down for maintenance – Currently No ETA.”
Williams apologized for the breach and said the site will be up in a matter of days. Meanwhile, GEDmatch users can report any suspicious emails to firstname.lastname@example.org or (858) 285-4101.