Cyber Incident Victim: MyHeritage
Date:
Jul 2020
Location:
Israel
Summary
A sophisticated cyberattack compromised a genetic genealogy platform, initially breaching user accounts to expose over a million previously restricted DNA profiles to law enforcement searches. Subsequently, email addresses obtained from this breach were used in a coordinated phishing campaign targeting users of another genealogy service, attempting to steal their login credentials. The incident undermined privacy assurances provided by the platform's parent company and highlighted vulnerabilities in handling sensitive genetic data. It sparked broader concerns regarding the security of forensic genealogy databases, unauthorized law enforcement access, and the potential erosion of public trust in genetic privacy safeguards amid rising use of such services for criminal investigations.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 2 techniques |
| Threat Actors | Type | Location |
|---|---|---|
| 0 actors | Available to members | Available to members |
Description
On July 19, 2020, genealogy platform GEDmatch experienced a security breach that altered user privacy settings, exposing over one million DNA profiles previously hidden from law enforcement searches. The breach occurred through unauthorized access to a server via a compromised user account, as confirmed by Verogen, the forensic genetics company that acquired GEDmatch in December 2019. This manipulation overrode opt-out preferences that had restricted police access to genetic data for criminal investigations, directly undermining Verogen’s assurances about user privacy protections. The incident disrupted the platform’s operational integrity and revealed vulnerabilities in its infrastructure. Two days later, on July 21, MyHeritage—a separate genealogy service based in Israel—reported a targeted phishing campaign against its users. Attackers leveraged email addresses obtained during the GEDmatch breach to send fraudulent login requests, attempting to harvest MyHeritage account credentials. This secondary attack demonstrated a coordinated effort to exploit genetic genealogy platforms and their user bases.
The GEDmatch breach immediately impacted trust in genetic privacy safeguards, particularly given the platform’s pivotal role in high-profile forensic cases like the Golden State Killer investigation. Verogen publicly acknowledged the attack in statements to BuzzFeed News and on Facebook, attributing it to a "sophisticated attack" but providing no technical specifics about mitigation. MyHeritage proactively notified users of the phishing attempt, though the scale of compromised accounts remained unclear. Collectively, these incidents highlighted systemic risks in DNA data stewardship, with experts warning of eroded public confidence in both consumer genealogy services and law enforcement’s use of such platforms. The breaches underscored the attractiveness of genetic databases as targets for malicious actors seeking sensitive personal information or aiming to disrupt forensic investigations.