Leak Exposes Private Data of Genealogy Service Users

family tree maker genealogy data breach

An exposed ElasticSearch server belonging to Software MacKiev put 60,000 users of the Family Tree Maker software at risk.

A server containing information of users of a genealogy service has exposed the data of 60,000 users, putting them at risk for fraud, phishing and other cybercriminal activity.

Research led by Avishai Efrat at WizCase has discovered the leak, which affected an open and unencrypted ElasticSearch server that belonged to Software MacKiev, according to a report posted online by Chase Williams, a web security expert at WizCase.

Software MacKiev currently maintains the Family Tree Maker, or FTM, software, which in turn syncs user data of a widely-known family history search platform, Ancestry.com.The leak exposed a MacKiev server with 25 gigabytes of Ancestry user data and MacKiev Software user subscriptions, including information such as email addresses, user location, user support messages and technical data. Most of the users whose data was leaked appear to be U.S. residents, according to the report.

“The leaked data could have given cybercriminals and scammers access to user personal information, putting many people in great risk of having their credentials used against them,” Williams wrote in the report.

The reason for the leak appeared to be misconfiguration of an ElasticSearch server, once again highlighting the importance of ensuring that data stored in the cloud is secure and free from common security mistakes, experts noted.

“The reality is that we are going to continue to see these types of configuration errors that result in data loss occurring over and over again; you have to find a way to constantly assess your cloud security posture,” said Pravin Kothari, founder and CEO of cloud security firm CipherCloud, in an email to Threatpost.

FTM originally was released by Broderbund in 1989, but has had several owners since then, including The Learning Company, Mattel and Ancestry.com. MacKiev acquired the Windows version of the software in 2016, but reportedly worked to develop the MacOS version of FTM since 2010.

WizCase researchers said they notified MacKiev to report the leak. Though the company didn’t respond, researchers noticed that the database was secured after notification, they said.

Given how much data is now stored in the cloud, experts said the leak demonstrates that a data-centric approach to security should be a priority among other approaches that protect only the network environment or other aspects of the cloud.

“No matter how much effort and investment are poured into securing the borders of their data environment, sensitive data inevitably will wind up in the wrong hands — either through intentional intrusion and theft, unintentional distribution, or pure lack of oversight,” noted Trevor Morgan, product manager at data security firm comforte AG, in an email to Threatpost. “Data-centric security addresses the need for security to travel with the data it protects, rather than merely securing the boundaries around that data.”

“Beyond taking an automatedĀ approach to enforcement of cloud security and compliance best practices, you really need to emphasize a data-centric approach,” Kothari concurred. “You have to work really hard to know where all the data lives and enforce the right policies.”

Encryption, which the MacKiev server lacked, is one way to do this, although it also introduces other administrative hassles when dealing with encryption keys, Morgan observed. Tokenization, which replaces sensitive information with innocuous representational tokens, could be a less complex alternative, he suggested.

“This means that, even if the data falls into the wrong hands, no clear meaning can be derived from the tokens,” Morgan said. “Sensitive information remains protected, resulting in the inability of threat actors to monopolize on the breach and data theft.”

Suggested articles

It’s Not the Trump Sex Tape, It’s a RAT

Criminals are using the end of the Trump presidency to deliver a new remote-access trojan (RAT) variant disguised as a sex video of the outgoing POTUS, researchers report.