Private Data Breach

Question

Update 31 Aug 2023:

The personal email messages to victims were completed this morning. If you want to search your email to see if you received one, the subject line on these is "WikiTree Private Data Breach Alert".

We sent 1,081 messages. The difference between this and the 1,528 mentioned yesterday is because:

• Many are close family members of team members. These are being handled separately.
• Many are closed accounts for spammers. Since most of the compromised data was from 15 years ago, the first year of WikiTree, our anti-spam controls were weaker.
• Many are closed accounts for members who have passed away.
• Some are living notables managed by projects.

This case is not over. We are continuing to analyze and understand the hacker's activities and his email messages to determine if additional records were compromised, while remaining vigilant against ongoing attacks. In both cases, records are being saved so they can be reported to authorities.

More to the point for the 1,081 individuals who received an alert, we will be using monitoring services to see if the compromised data appears on the "dark web," and send another alert if it does. At this point, we have no evidence that the hacker did anything but download the data and select certain information to include in email messages to the team, our family members, and selected WikiTree volunteers. He understands that his own liability will increase significantly if he distributes the data, and especially if anyone is harmed by its distribution. He has been encouraged to turn it over to authorities.

---

Update 30 Aug 2023:

Our estimate is that 4,175 private profiles were compromised. 1,528 unique email addresses were viewed. Almost all of the private profiles were created prior to March 2009 and many represent former members and recently-deceased family members. Today we are beginning the personal emails.

---

Original Announcement 28 Aug 2023:

WikiTreers,

We have just discovered a privacy leak that enabled a hacker to illegally download thousands of change histories for profiles, many of which were private, and some of which included account email addresses, names, and dates of birth, but not passwords.

He discovered a backdoor way to view the history of changes to a profile ("diff" pages) as if he was a member of the Trusted List. The vulnerabilities in our code that enabled this method of attack have been fixed.

Unfortunately, we are still trying to identify all the profiles that he accessed. When this is done, we will personally contact the members who were directly affected. We will also complete data breach reports with the proper authorities.

Authorities have already been contacted regarding the individual who downloaded the private data. He has demanded payment in order to keep it secret. Although we will not pay him, our hope is that because he knows his digital fingerprints can be definitively connected to the data breach, and because his own identity is known, he will not risk further criminal and civil liability by distributing it.

I want to personally apologize for the mistakes in our code that allowed this to happen.

We will update you as more information becomes available. Please email info@wikitree.com if you have any questions.

Sincerely,

Chris Whitten

Comments

Hi Ruth. This is difficult to estimate. We can say that most of the records are for Americans. However, only a small percentage had birth or death locations, and this is not the same as current residence. WikiTree has never asked for home addresses.

---

Thank you for the information.  I appreciate getting a bit more information than is usually given with one of these super annoying events.  A reminder to everyone that no data, of any kind is safe anywhere.  If you want that kind of privacy you have to go completely off-grid. So change passwords frequently, use 2 factor verification at any important (particularly financial) place and practice good computer savy hygiene with all your devices.  Remember as well that physical theft from autos, homes and businesses presents the same risks.  Meanwhile enjoy life, learn a lot and don't be afraid of the bad guys.

---

You don’t think the other sites have this problem as well? They do they just aren’t as open in admitting it.

I’ve gotten emails from ancestry (haven’t used the others) saying that information has been taken. There’s also random people who are sending spammy emails to members thinking it’s a dating site or trying to get information.

---

this makes me very sorry I ever entrusted any information to this site. These profiles and the relationships between them are EXACTLY the information used on many security questions across the internet and in real life. I really should have known better. And no I don't think Im being overly harsh. Please let me know asap on the unlucky chance that I am one of the victims

I am not active in this site, and am currently researching my own lineage on other sites, but if I may make a suggestion about your secret questions and answers relating to  2FA (two factor authentication), I know that people close to me or even previously, but no longer close to me can a lot of times pick these things out. What I do is, no matter what the question is, I give the same answer and it has nothing to do with the question. As an example, say the question is "What street did you grow up on?" My answer would hypothetically be "thirty-seven". Likewise if it were "What is your dad's middle name?" One, you only have to remember one answer, and two, anyone who has access to your social media pages and can sniff out data with any kind of competence (like, you can have your friends list private, but your friends don't and links can be made if anyone has ever commented on your page simply by going to their page with an open friends list, right? I've done away with social media altogether for many reasons, a lot of which relating to direct assault on privacy), or anyone who knows you directly or by proxy, or KNEW you once upon a time perhaps during poignant times in your life, will not be able to guess. Just my humble $.02 from a complete stranger.

Oh and one more thing, use a password keeper and allow it to generate passwords that are not word-based. I use bitwarden because it works on virtually every platform, and plugs into the popular browsers as well as has a web interface with a short timeout in case you forget to log out. It is encrypted with a 5 word phrase and even bitwarden doesn't keep your password on file. If you lose the master password, all the passwords kept will be destroyed on reset. It's only inconvenient in that you will have to fetch your passwords but you will only have to remember ONE password. Make it a non word based one, write it down and keep it safe, 14 character minimum and memorize it.

I learned these things the hardest way possible and had to rip all the hard drives out of my several PCs and run LIVE operating system disks whenever I needed to use them. It was a year long battle until I was certain my network was clean. It was like having someone break into my house and steal things from my dresser on a daily basis with a surveillance system for them to watch at the same time. Talk about heebeegeebees. And no one believed me at first which made me crazy until I was able to show proof that they would comprehend. I learned Linux by hyperbolic gunpoint. LOL Now I'm in the process of De-googling everything I own. (who died and made them God of the internet anyhow??)

Anyway, this is just the 2 cents of a stranger. I hope you're having a better week. Hope this wasn't too TL;DR

---

Sorry that appears to be really really paranoid. I can get your mothers maiden name by just looking at the obituaries of your mom and your aunts and uncles. I can get your address from several of the data mining sites on the Internet. I can get pictures of you. I know your work history from LinkedIn. You need to have that site up if you want to impress employers and to obtain employment in other fields. So do you have no such thing as privacy. Stop the thing about privacy. You have none. End of discussion!

---

Couldn't have said it better myself!

---

You can feel 'password cosy' by using non alpha and 2FA but that only relates to your own account. If a hacker breaches the website database and encryption then all your efforts are in vain. The only way you can ensure that your passwords cannot be breached is not to have ANY - i.e. stay off the internet.

---

I'm glad everyone has researched the NATURE of the breach before offering 'helpful' suggestions, which I have now come to turn off. In this particular case things like 2FA would offer NO protection against what was done.

I must continue to believe that when someone can pull a switcharoo by copying and pasting from urls or by simply doing so in postman that any blame for such a breach falls pretty squarely on the programmers.

Maybe use a random number concatenated to the existing auth key to form a key to aes encrypt the actual trusted list name to shroud the url/post components so such easy hacks aren't feasible, or at least make them traceable. That's a 5 second rough outline of what might be done. It might need tweaking. That's in addition to privilege/ownership checking within the
database itself or in middleware

If you didn't understand that maybe you shouldn't be explaining 2FA and password wallets to me?

---

Point well taken!  I did not know the nature of the security breach.  Since Postman is used by a gillion users with probably the world's largest API hub, I can understand how it happened.  Doesn't mean I find the programming acceptable.

---

It does sounds like either you're a bit paranoid and overreacted OR someone really put you through a new level of hell to get you to that point. Either way I get it! Maybe its cuz I'm a paranoid person too but rightfully so! Its hard to explain what that invasion of privacy can do to someone mentally! A few years ago my ex-husband pulled some strings and was able to monitor me through my internet connection. I found out several months into his stalking (that I can verify) when the son that temporarily lived with him confronted me about a private conversation between me and my other son. We only spoke about that topic one time late at night in my bedroom because we were both unable to fall asleep. When I heard the exact words i spoke repeated back to me verbatim, there was no denying it! Thankfully my ex is technologically illiterate because I was able to find the leak and track it down to his specific address across town! Once you know your privacy has been invaded to that degree you can't help but be paranoid!

Answer 1

Thank you, Chris and Team, for letting us know of this breach!

Comments

Sorry, the best answer star was given accidentally.

---

Not a problem and you are welcome to remove the best answer star, Cheryl

Answer 2

Thank you for taking care of this so quickly and appropriately Chris.  It's never easy to deal with when something like this happens.

Answer 3

That's unfortunate. =( At least the culprit was caught and he will be punished. I am confident in that. Some people really do have way too much time on their hands. You don't have to apologize to us, Chris. If anything, the hacker should apologize to us. Once he's done time....

Sorry this happened. Keep us posted, Chris!

Comments

I hope that they will be punished and that this will never happen again.

---

We can only hope.

Answer 4

Thank you, Chris and everyone on the Admin Team for all of your hard work and dedication. Sad that there are people out there who want to spend so much time and effort on something like that. Sorry that you all have to deal with it, but so appreciative of your prompt response and communication to the community.

Answer 5

Thanks for letting us know Chris, and for the quick response.

Comments

Thank you for your honesty,and integrity,my dear friend.Merci beaucoup,mon cher ami;and God bless you.

Answer 6

Thank you for the transparency.

Answer 7

Thank you for catching this breach and informing us.

Answer 8

Thanks for keeping us informed Chris. Data breaches are happening in all sorts of systems around the world but it's good to know you and the team are on the case.

Answer 9

I’m glad he was caught but hope there wasn’t to many that were affected

Comments

Too many of these breaches result in never knowing who did it. It's great you were able to identify your hacker and they are being dealt with appropriately. There are several statutes that deal with hacking. This is a good description:
https://www.rendelmanlaw.com/2021/06/09/is-hacking-a-crime-united-states-hacking-laws-explained/

Answer 10

Thank you for the transparency on this issue and resolving it.

Answer 11

Thank you Chris for the heads-up. Your quick actions and honesty are appreciated by all!

 Is there anything we should be on the lookout for?

Comments

Take a look at the previous post:

https://www.wikitree.com/g2g/1628278/hacking-and-extortion-attempts

---

Thank you, Marty, Nathan, and everyone, for your understanding and patience.

Please be on the lookout for emailed threats regarding your private data. If you receive one, we recommend that you do not reply. Instead, forward the message to info@wikitree.com, or go directly to your local police.

---

YES!!!  Please post this info at several locations so that few can miss it. One should never let these scum know that their actions have even been noticed. More info to the authorities should help to minimize this in the future (I hope!).

THANKS for keeping us informed - - -

Answer 12

Thank you Chris and team for your swift action!  Does this have to do with why Wikitree has been running slow today?  Thank you!!

Comments

Hi Skye. We did experience what may have been a denial of service attack today but we can't comment on the details.

---

Good!  Please don’t!

---

Thank you Chris! :)

Answer 13

Thanks Chris for keeping us in the loop. It's sad when a breach comes from the inside, we like to believe in our "trusted members." I've long believed we have one of the most cohesive and solid communities anywhere. To have someone betray our trust hurts. Sadly, there's no real way to keep people out who have bad intentions.

Answer 14

Thank you Chris for the info, let's hope he can't hurt anyone in any way. Can he for example enter this page and pick more names?

Comments

Hi Kari. The weaknesses in our controls that allowed his intrusion have been fixed. However, most of WikiTree, including this page, is entirely public on the open internet. The only good point I can make is that his identity is known, he knows that it is known, and he lives in a country that has a reliable justice system.

Answer 15

This is the reason why I never add living people here. No matter how secure you think it is, someone determined enough will get in. I am not going to be the person that will have to explain to a family member that I added them to a website (most likely without their knowledge) and their info is now exposed and being held for ransom.

Comments

Good point, Jim.

WikiTree's policies no longer allow you to add information about living family members without their knowledge and consent. https://www.wikitree.com/wiki/Help:Privacy_Policy#Information_on_Living_Family_Members

If you are aware of any living people whose private information is on WikiTree without their consent, please email info@wikitree.com.

Answer 16

This happens to even huge corporations with big security budgets.  It's a fact of life these days.  To be fair, the information they got (even if they did get mine) would be comparable to what most people could find out there using Google for me if they tried hard enough.

Answer 17

Thanks for the heads up :)
I presume this is why I've been getting over 100 spam emails DAILY

Comments

Hello Peita,

Unless the spam messages began recently, there is no reason to suspect a connection. If they did just begin, please forward them to info@wikitree.com. If they contain any threats, we urge you to report them to your local police.

Chris

---

Hmm interesting.
They've been happening for about 2 weeks now.
Thankfully there's no threats etc just general spam for products, pharmaceuticals and non delivered mail haha.

---

Different problem. haha.

---

It may be unrelated to Wikitree and it's possible another online account you use has been breeched. I highly recommend you run the email address being spammed through this: https://haveibeenpwned.com/

It will tell you of any accounts you have related to that email that have been breeched. :)

---

Oh wow thanks for that link!
I went through the websites it suggested and I've not had an account with them for at least a decade!! (ie before the supposed data breaches happened)

And its weird that these excessive spam emails have only been happening in the last 2 weeks!??? You'd think if I was still signed up to those places, I would've had it happening for years?

Answer 18

Thanks Chris for keeping us up to date. I am very impressed with the way that you and the senior time have worked to deal with the problem.
Meanwhile, may the culprit have ants in his underclothes for the rest of his life.

Steve

Comments

My seven year old grandson, looking over my shoulder, said "That's a bit harsh"

---

Make a note of that, and in ten years, ask him if his opinion has changed. :-)

---

Thank you for making me have a giggle. Sounds like a great kid!  I have a 7-year-old in my life . . .she would have said that I should never be "mean," and "people make mistakes, you have to try to forgive them".  (They're not wrong, but  . . . )  I love that they are so innocent, and that life is so simple for them still. 

Answer 19

It has become inevitable that you or I will be hacked. It's not if, it's when. My nephew is in the IT support business. The largest undertaking for them in recent years is to secure their clients sites.

Answer 20

Yesterday, when my husband phoned me at lunchtime, I told him I thought I'd been banned from Wikitree. He said "they won't have banned you babe, you are too much use to them." Of course he was right and everything was back to normal by teatime.

Today when he phoned me and asked how my day was going, I replied "I've not been banned from anything and I've got no kids to look after, so it's going great." He really laughed.

Comments

For anyone who has trouble accessing WikiTree: Please accept our apologies and contact info@wikitree.com.

Protecting privacy and safety comes before anything else, so we have intentionally tightened all our tripwires.

---

Thanks Chris, that's exactly what I did and I got a reply from Abby in 20 mins, which is pretty fast.