Sunday, July 26, 2020

This Week's DNA News for DNA Researchers

For people interested in DNA:  Here are three situations that are brewing in the DNA community.  I will lead with the Family Tree Maker situation because I have not mentioned it before, then continue to Ancestry’s change to the centiMorgan threshold for DNA matching to 8 cM, and then the GEDmatch/MyHeritage breach.

#1  Family Tree Maker experienced an unrelated breach last weekend.  Ancestry has announced that Family Tree Maker’s breach did not affect data on Ancestry.com.  I am not a Family Tree Maker user so I have not received personal information about this.  Also, my regular bloggers are not talking about it.

#2  From our meeting, Ancestry’s change to increase the centiMorgan threshold for DNA matching to 8 cM.  A summary from our June 20 Genies minutes starts here:

Ancestry has announced that in August of this year, it will be removing DNA matches of fewer than 8 centiMorgan (cM).  They have announced it will be late August. It currently reports DNA matches down to 6 cMs. What we will be getting, they say, is more accurate reporting of segments and the length of the longest segment.

What we will lose is access to potential matches with family trees that can be helpful, despite the low numbers. Judith says if you wish to retain matches with 8 or lower cMs, you will need to do one of the following:

· Assign your DNA match a color dot

· Contact the DNA match link directly

· Have a note in place for that DNA match

Where are dots? The dots can be found on the DNA match list on the right side by the note.  They are used to assign family connections (e.g., maternal matches = green, paternal matches = blue). There are 24 color choices to enable sub-group matching. Matches can then be viewed as a group. Judith suggested looking at your common ancestor lists and making sure you have dots assigned for all, especially those as low as 6-8 cM.  (end minutes)

If you have kits for any people in older generations, that is the place to preserve the small-segment matches.  This is especially true if you have parents, aunts, or uncles.  For example, I have my mother’s brother and my father’s brother.  They have segments similar to mine but technically they should be larger than mine.  I do almost all my DNA research in their kits.

This blogpost from Randy Seaver at Genea-Musings gives detailed descriptions of the changes he made to preserve the small segments: https://www.geneamusings.com/2020/07/ancestrydna-changes-coming-soon-what-im.html

Roberta Estes, a most-experienced genetic genealogist, wrote here:  https://dna-explained.com/2020/07/16/ancestry-to-remove-dna-matches-soon-preservation-strategies-with-detailed-instructions/.  Indeed, she has again given very detailed instructions.  You can skip to Preservation near the end. 

For the future, the DNA blogger I like for timely, concise news is Dr. Leah Larkin at https://thednageek.com/blog/.   Dana has a good blog about which small-segment matches to save and especially instructions about how to save Thrulines matches.

#3  Breach at GEDmatch, a third-party DNA provider owned by Verogen.  I reported that the problem on July 19 was not a security breach but now it is being reported as an “attack”.  The website was down for multiple days and now the website has this message.

We have completed a thorough review of the site for security vulnerabilities and have made changes where appropriate to ensure the security of your data. If you note any issues that are of concern, please submit a request tracker ticket for resolution. For our Tier 1 members we will be extending your membership by 1 week.

They engaged a cybersecurity consultant to identify the attacker and motive plus to secure the GEDmatch website from future attacks.  The notification to users from Verogen is at the end of this post. 

In addition, there appears to have been a “malicious phishing attempt” affecting GEDmatch users who downloaded their DNA from MyHeritage to GEDmatch.  So far the assumption is that the GEDmatch attacker was able to steal email addresses.  They sent emails to MyHeritage users with a link to a MyHeritage look-alike site asking for users to login so they could get their passwords.  The link is to myheritaqe.com.  Hard to notice that they substituted a lower-case Q for the g in MyHeritage.  MyHeritage has been promoting their two-factor authentication for quite some time to guard against this sort of hack.

Caution:  Be alert for fake emails from any of the companies but especially one that you downloaded to GEDmatch.  Change your password if you downloaded your DNA to GEDmatch.

The MyHeritage blogpost is here.  They are not aware of any data compromised on MyHeritage.

Also, Ancestry.com calls for us to use their security feature called “two-step verification”.

 

Email from the management at Verogen:

Dear GEDmatch member,

 On the morning of July 19, GEDmatch experienced a security breach orchestrated through a sophisticated attack on one of our servers via an existing user account. We became aware of the situation a short time later and immediately took the site down. As a result of this breach, all user permissions were reset, making all profiles visible to all users. This was the case for approximately 3 hours. During this time, users who did not opt-in for law enforcement matching were available for law enforcement matching, and, conversely, all law enforcement profiles were made visible to GEDmatch users.

 On Monday, July 20, as we continued to investigate the incident and work on a permanent solution to safeguard against threats of this nature, we discovered that the site was still vulnerable and made the decision to take the site down until such time that we can be absolutely sure that user data is protected against potential attacks. It was later confirmed that GEDmatch was the target of a second breach in which all user permissions were set to opt-out of law enforcement matching.

 We can assure you that your DNA information was not compromised, as GEDmatch does not store raw DNA files on the site. When you upload your data, the information is encoded, and the raw file deleted. This is one of the ways we protect our users’ most sensitive information.

 Further, we are working with a leading cybersecurity firm to conduct a comprehensive forensic review and help us implement the best possible security measures. We expect the site will be up within the next day or two.

 We have reported the unauthorized access to the appropriate authorities and continue to work toward identifying the individuals responsible for this criminal act.

 Today, we were informed that MyHeritage customers who are also GEDmatch users were the target of a phishing scam. Please remember to exercise caution when opening emails and clicking links. Never provide sensitive information via email. If an email seems suspicious, contact the company in question directly through the phone number or email address listed on their website, not via a reply to the suspicious email. You can reach GEDmatch at gedmatch@verogen.com or (858) 285-4101. At this time, we have no evidence to suggest the phishing scam is a result of the GEDmatch security breach this week. We are continuing to investigate the incident.

 Please be assured that we take these matters very seriously. Our Number 1 responsibility is to protect the data of our users. We know we have not lived up to this responsibility this week, and we are working hard to regain your trust. We apologize for the concern and frustration this situation has caused.

 Sincerely,

Brett Williams
CEO, Verogen Inc.

 


No comments:

Post a Comment