Leak Exposes Private Data of Genealogy Service Users

family tree maker genealogy data breach

An exposed ElasticSearch server belonging to Software MacKiev put 60,000 users of the Family Tree Maker software at risk.

A server containing information of users of a genealogy service has exposed the data of 60,000 users, putting them at risk for fraud, phishing and other cybercriminal activity.

Research led by Avishai Efrat at WizCase has discovered the leak, which affected an open and unencrypted ElasticSearch server that belonged to Software MacKiev, according to a report posted online by Chase Williams, a web security expert at WizCase.

Software MacKiev currently maintains the Family Tree Maker, or FTM, software, which in turn syncs user data of a widely-known family history search platform, Ancestry.com.The leak exposed a MacKiev server with 25 gigabytes of Ancestry user data and MacKiev Software user subscriptions, including information such as email addresses, user location, user support messages and technical data. Most of the users whose data was leaked appear to be U.S. residents, according to the report.

“The leaked data could have given cybercriminals and scammers access to user personal information, putting many people in great risk of having their credentials used against them,” Williams wrote in the report.

The reason for the leak appeared to be misconfiguration of an ElasticSearch server, once again highlighting the importance of ensuring that data stored in the cloud is secure and free from common security mistakes, experts noted.

“The reality is that we are going to continue to see these types of configuration errors that result in data loss occurring over and over again; you have to find a way to constantly assess your cloud security posture,” said Pravin Kothari, founder and CEO of cloud security firm CipherCloud, in an email to Threatpost.

FTM originally was released by Broderbund in 1989, but has had several owners since then, including The Learning Company, Mattel and Ancestry.com. MacKiev acquired the Windows version of the software in 2016, but reportedly worked to develop the MacOS version of FTM since 2010.

WizCase researchers said they notified MacKiev to report the leak. Though the company didn’t respond, researchers noticed that the database was secured after notification, they said.

Given how much data is now stored in the cloud, experts said the leak demonstrates that a data-centric approach to security should be a priority among other approaches that protect only the network environment or other aspects of the cloud.

“No matter how much effort and investment are poured into securing the borders of their data environment, sensitive data inevitably will wind up in the wrong hands — either through intentional intrusion and theft, unintentional distribution, or pure lack of oversight,” noted Trevor Morgan, product manager at data security firm comforte AG, in an email to Threatpost. “Data-centric security addresses the need for security to travel with the data it protects, rather than merely securing the boundaries around that data.”

“Beyond taking an automated approach to enforcement of cloud security and compliance best practices, you really need to emphasize a data-centric approach,” Kothari concurred. “You have to work really hard to know where all the data lives and enforce the right policies.”

Encryption, which the MacKiev server lacked, is one way to do this, although it also introduces other administrative hassles when dealing with encryption keys, Morgan observed. Tokenization, which replaces sensitive information with innocuous representational tokens, could be a less complex alternative, he suggested.

“This means that, even if the data falls into the wrong hands, no clear meaning can be derived from the tokens,” Morgan said. “Sensitive information remains protected, resulting in the inability of threat actors to monopolize on the breach and data theft.”

Suggested articles

Have I Been Pwned Set to Go Open-Source

Fully opening the door to allow people to contribute to – and notably, tinker with – the code for the data-breach information service will be an entirely next-level effort, according to founder Troy Hunt.

Discussion

  • Rick on

    As an active user of FTM, I read this analysis but am confused. In my case I do not use the cloud storage but I do sync with Ancestry several times a week. So the question: does this affect only users that have an FTM cloud account?
    • Tara Seals on

      Hi Rick -- sorry for the confusion. You don't have to be a cloud user to be affected by this. The exposure was of an internal FTM database that contained data for users such as yourself. We don't have a way of knowing which specific customers were impacted though, because the company hasn't made a public statement on the issue. The good news is that there's no indication that hackers accessed the data -- only that it was left exposed for an unspecified amount of time.
  • Rusty Aldrich on

    So I am not sure what the data breach would mean for me, the consumer. Did it put my DNA-raw or processed, in their hands? Like to use as if hey were covering them self's in good clean records or how does this work? Or can you tell I don't know what to expect from this. Kinda creepy thinking that could actually happen, and is our sample that has been read, can that be made to go elsewhere for whatever their purpose is? And is this just that company letting all the results out and everyone has to accept the consequences now? Disturbed by lack of security....
  • Jane Hardin on

    What can we do to protect our data in the future? This is upsetting. I have 50 years of research in FTM/ancestry.com.
  • Jimmy on

    So in other words, if I leave my back door open, A red double decker bus might drive in

Leave A Comment

 

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Subscribe to our newsletter, Threatpost Today!

Get the latest breaking news delivered daily to your inbox.