The year 2020 has been a mind-boggling experience with regards to data protection (or lack thereof). Though it is only July, the amount of high-profile data leaks and data breaches continue to cause havoc for companies and customers. The most recent high-profile victim of data insecurity is a popular genealogy tool employed by tens of thousands. According to a blog post from Chase Williams of WizCase, Family Tree Maker (which is operated by Software MacKiev and used by Ancestry.com) has been found to be insecure.
The findings from WizCase’s white-hat security team, which is led by Avishai Efrat, uncovered the following:
The misconfigured ElasticSearch server exposed information of approximately 60,000 users (including duplicates) and complaints sent to customer support and extremely vulnerable data about their physical location. As the company is based in the US, most of its users could be identified as US residents.
The data totaled around 25GB, and as the report notes, if used by cybercriminals, there could be dire consequences. The personal data in the Family Tree Maker ElasticSearch server can be used for social engineering attacks like phishing, identity theft fraud campaigns, and even business espionage. When the WizCase team discovered the misconfigured Family Tree Maker server, Software MacKiev was notified immediately. Though Williams notes in his report that the company made no confirmation regarding the disclosure, the server was, in fact, secured days later.
There is no evidence that cybercriminals gained access to the data in the ElasticSearch server. Nevertheless, anyone who uses Family Tree Maker should change their passwords and keep an eye on their personal data. Anything that the server has could have been stolen and passed around on the Dark Web, so practice defensive awareness for the time being. Make sure you only give a company, no matter what it is, the least amount of data you need to.
Featured image: Software MacKiev/ FamilyTree.com