Update 31 Aug 2023:
The personal email messages to victims were completed this morning. If you want to search your email to see if you received one, the subject line on these is "WikiTree Private Data Breach Alert".
We sent 1,081 messages. The difference between this and the 1,528 mentioned yesterday is because:
- Many are close family members of team members. These are being handled separately.
- Many are closed accounts for spammers. Since most of the compromised data was from 15 years ago, the first year of WikiTree, our anti-spam controls were weaker.
- Many are closed accounts for members who have passed away.
- Some are living notables managed by projects.
This case is not over. We are continuing to analyze and understand the hacker's activities and his email messages to determine if additional records were compromised, while remaining vigilant against ongoing attacks. In both cases, records are being saved so they can be reported to authorities.
More to the point for the 1,081 individuals who received an alert, we will be using monitoring services to see if the compromised data appears on the "dark web," and send another alert if it does. At this point, we have no evidence that the hacker did anything but download the data and select certain information to include in email messages to the team, our family members, and selected WikiTree volunteers. He understands that his own liability will increase significantly if he distributes the data, and especially if anyone is harmed by its distribution. He has been encouraged to turn it over to authorities.
Update 30 Aug 2023:
Our estimate is that 4,175 private profiles were compromised. 1,528 unique email addresses were viewed. Almost all of the private profiles were created prior to March 2009 and many represent former members and recently-deceased family members. Today we are beginning the personal emails.
Original Announcement 28 Aug 2023:
WikiTreers,
We have just discovered a privacy leak that enabled a hacker to illegally download thousands of change histories for profiles, many of which were private, and some of which included account email addresses, names, and dates of birth, but not passwords.
He discovered a backdoor way to view the history of changes to a profile ("diff" pages) as if he was a member of the Trusted List. The vulnerabilities in our code that enabled this method of attack have been fixed.
Unfortunately, we are still trying to identify all the profiles that he accessed. When this is done, we will personally contact the members who were directly affected. We will also complete data breach reports with the proper authorities.
Authorities have already been contacted regarding the individual who downloaded the private data. He has demanded payment in order to keep it secret. Although we will not pay him, our hope is that because he knows his digital fingerprints can be definitively connected to the data breach, and because his own identity is known, he will not risk further criminal and civil liability by distributing it.
I want to personally apologize for the mistakes in our code that allowed this to happen.
We will update you as more information becomes available. Please email info@wikitree.com if you have any questions.
Sincerely,
Chris Whitten