Has anything happened happened to Gedmatch?

Question

I logged into Gedmatch and had an unusually large number of large, weird looking matches. I emailed Gedmatch to alert to a possible security concern and started trying to secure my kits. Then the site crashed. Does anyone know if anything is going wrong at Gedmatch?

Comments

Hi J!

After seeing your question, i went over to GEDmatch, which i had left open last night when my laptop died of low battery.  (Usually i log off properly...)  To my surprise i had not been logged off by the GEDmatch system.  When i refreshed, i too had a lot of new 3rd cousin-ish matches, many of them with random numbers in the name/alias column.  But it didn't crash.

Several of these new matches were from managed by XXXXXXX@epitarg.com.   Seems that it might be a real victim identification organization.  My guess is that we are helping law enforcement.  

I ran a report for the results of a random distant cousin, and there were no such matches in that list.

Interesting!

Editted to obscure the email address as suggested by Debbie X.  thanks Debbie!

---

Another of my randomly named matches was managed by XXXXX@parabon.com.  That turns out to the be email of a lead researcher at Parabon Nanolabs.

After i refreshed GEDmatch, the match wasn't there anymore. And now GEDmatch is timing out on everything i try to do.  I think maybe someone forgot to make these results invisible, and now they are running whatever they need to run to keep these research results private.

I'm glad i'm helping law enforcement and science.  I'm glad my GEDmatch kit is linked to my WikiTree profile and they will be able to see my whole tree and then some.  One of the John Doe kits seems to be related to my great big Steeves family, so if someone is missing, i hope this research brings closure somehow.  My grandfather's beloved uncle Walter dropped off the face of the earth on his trip to California in 1925.  Maybe someday his remains will be discovered and identified.

Editted to obscure the email address as suggested by Debbie X.  thanks Debbie!

---

In fact i just quickly added a few details to Walter's profile so that he would be considered as a possible missing person by anyone who is looking for candidates for the owner of his DNA, should it ever make it to a lab.  

Anything else i should do to make it easier to identify Walter if/when the possibility exists?

---

After reading your post, I tried to sign-in to GedMatch & could not. Now, it says this on page:

"The gedmatch site is down for maintance. Currently no ETA for availability."

---

I was able to log in just now.  Those parabon and epitarg managed kits are not visible.

---

The Gedmatch site seems to be back up. The odd matches are gone. So is a kit I tried to load up yesterday. My kits are marked not for police enforcement so very concerned that they may have have been used in a law enforcement matching. I will await my reply from Gedmatch. John

---

If your DNA is in GEDmatch, it's subject to search regardless of your opt-in status. Just last November a judge authorized a search of the entire database. Warrants render opt-in completely useless as opt-in user agreements have no standing in law.

---

I've noticed that a couple of people in this thread have published e-mail addresses that were revealed in the privacy breach. These e-mail addresses were attached to private kits and should have not have been made publicly available. Can I suggest that you go back and amend your posts to remove this private information?

---

It has now been announced to be a privacy breach. See the update at the blog post in my answer: https://cruwys.blogspot.com/2020/07/major-privacy-breach-at-gedmatch.html?fbclid=IwAR13h087RIaOkShkx8IvrSexq-y8PizQWxBom_sZJyrY7tIROrufbpo9_S0

Answer 1

They either got hacked or made a very bad update to the site:

https://cruwys.blogspot.com/2020/07/major-privacy-breach-at-gedmatch.html?fbclid=IwAR13x-pLLynAMXRCynL4rvNoWEi4es_L2s_huiXxZstRRHB1hPmqewXtEik&m=1

Comments

That blog is very informative, Barry!  thanks for that.  

An update to the blog stated:

(22.51 pm UK time) that GEDmatch is back up and running and my kits all have the correct access levels.

23.09 pm The following message has been posted on the GEDmatch Facebook page.

---

However, what i see is:

This page isn’t working

www.gedmatch.com is currently unable to handle this request.

HTTP ERROR 503

---

working again now, and my Police settings are as i set them

Answer 2

One headline about the incident:  "Gedmatch investigating after users' DNA profile data made available to police" an article by Zack Whittaker at TechCrunch website.

Comments

The site is down again for maintenance with no expected time for resumption with the following message on the Facebook page:

"Today as we continued to investiagte the incident and work on a permanent solution to safeguard against threats of this nature, we discovered that the site was still vulnerable and made the decision to take the site down until such rime that we can be absolutely sure that user data is protected against potential attacks, We are working with a cybersecurity firm to conduct a comprehensive forensic review and help us implement the best possible security measures."Gedmatch message on facebook

Answer 3

I received the email below today. One thing that immediately jumped out at me was the paragraph about how DNA information was not compromised, because it was encoded. I suspect that "encoding" was a deliberate word choice; and encoding is not encryption. In fact, it is often trivially easy to decode encoded data to retrieve it in its raw form. If they actually have a "leading cybersecurity firm" involved, this distinction (if incorrect) should have been identified immediately. As such, though I do not know the internal details, I am personally assuming that my raw DNA data was effectively compromised.

Dear GEDmatch member,

On the morning of July 19, GEDmatch experienced a security breach orchestrated through a sophisticated attack on one of our servers via an existing user account. We became aware of the situation a short time later and immediately took the site down. As a result of this breach, all user permissions were reset, making all profiles visible to all users. This was the case for approximately 3 hours. During this time, users who did not opt-in for law enforcement matching were available for law enforcement matching, and, conversely, all law enforcement profiles were made visible to GEDmatch users.

On Monday, July 20, as we continued to investigate the incident and work on a permanent solution to safeguard against threats of this nature, we discovered that the site was still vulnerable and made the decision to take the site down until such time that we can be absolutely sure that user data is protected against potential attacks. It was later confirmed that GEDmatch was the target of a second breach in which all user permissions were set to opt-out of law enforcement matching.

We can assure you that your DNA information was not compromised, as GEDmatch does not store raw DNA files on the site. When you upload your data, the information is encoded, and the raw file deleted. This is one of the ways we protect our users’ most sensitive information.

Further, we are working with a leading cybersecurity firm to conduct a comprehensive forensic review and help us implement the best possible security measures. We expect the site will be up within the next day or two.

We have reported the unauthorized access to the appropriate authorities and continue to work toward identifying the individuals responsible for this criminal act.

Today, we were informed that MyHeritage customers who are also GEDmatch users were the target of a phishing scam. Please remember to exercise caution when opening emails and clicking links. Never provide sensitive information via email. If an email seems suspicious, contact the company in question directly through the phone number or email address listed on their website, not via a reply to the suspicious email. You can reach GEDmatch at gedmatch@verogen.com or (858) 285-4101. At this time, we have no evidence to suggest the phishing scam is a result of the GEDmatch security breach this week. We are continuing to investigate the incident.

Please be assured that we take these matters very seriously. Our Number 1 responsibility is to protect the data of our users. We know we have not lived up to this responsibility this week, and we are working hard to regain your trust. We apologize for the concern and frustration this situation has caused.

Sincerely,

Brett Williams
CEO, Verogen Inc.

Comments

This article is specifically on security risks posed by GEDmatch:

https://dnasec.cs.washington.edu/genetic-genealogy/ney_ndss.pdf

 and it says "In the case of GEDmatch, the kits appear to be compressed with a lossy compression scheme." This would add some security. The article itself is fascinating in that it proves that you can get information about raw data uploaded to GEDmatch, not by hacking in and decompressing the data but rather through repeated querying against experimental kits. GEDmatch doesn't just show you the length and number of segments where you match, and it doesn't just show you the start and endpoints of those segments -- it displays graphically how you compare at every single SNP. Specifically, most people ignore the colored bar or even turn off the visual comparison, but each bar is made up of 1-pixel wide columns and each column represents an SNP. The color is red if there is no match, yellow if a half-match, and green if a full match. By uploading enough kits with carefully constructed raw data and querying over and over against the same private kit, you can determine the measured alleles in the private kit from those colored bars.

So -- this article already showed how to obtain kit data without needing to hack in and then figure out how to decompress the data.

I don't really care or worry, because most SNPs are positions that aren't hugely medically relevant. Those positions that are relevant are usually so in combination with lots of other positions, many of which won't be measured, and also with environmental factors. IMO figuring out how to make malicious use of the genotyped data we currently have is much more difficult than figuring out how to obtain the info.

---

Thanks Barry. Interesting to hear, but it supports my point that this email I received is misleading at best.

---

Received this email as well.

It appears that the hacker was trying to make all law enforcement profiles (which are presumably hidden) visible.

And the second breach was to opt everyone out of law enforcement matching, which would then make all profiles hidden.

Hacker likely believes that by doing this he/she/they are protecting vulnerable populations from police searches. But, especially considering the second breach effectively disables the site, it could also be someone with a great deal to hide who doesn't want to be found out.

Not to be all conspiracy theory and such... but Jeffrey Epstein and Ghislaine Maxwell were up to much more heinous acts than have been reported and/or prosecuted, involving incredibly high profile clients and associates for decades.

Answer 4

GEDmatch is working again.