Genealogy Software Maker Exposes Data on 60,000 Users

A US tech company that manages popular family tree software has exposed tens of thousands of its users’ personal information online via a misconfigured cloud server, according to researchers.

A team from WizCase led by Avishai Efrat discovered the unsecured Elasticsearch server leaking 25GB of data linked to users of the Family Tree Maker software.

First released in 1989, it has had numerous corporate owners, including Broderbund, The Learning Company, Mattel and, prior to Software MacKiev which is currently in charge of the code.

WizCase informed the US software company of the incident and, although it didn’t receive a reply, the incident was apparently remediated shortly after.

Among the details leaked to the public-facing internet were email addresses, geolocation data, IP addresses, system user IDs, support messages and technical details.

WizCase warned that a hacker could have used the information to craft convincing follow-on phishing attacks and identity fraud.

It also claimed the leaked comments and complaints could have given MacKiev’s competitors an opportunity to target unhappy customers, while technical details could be utilized in a different way.

“The leak exposed technical details about the system’s backend, which could help attackers leverage multiple cyber-attacks on Software MacKiev and its associated companies,” it was claimed.

“That way cyber-criminals can steal additional user data, infect the system with malware or even take complete control over parts of the systems.”

MacKiev is said to have developed the macOS version of Family Tree Maker since around 2010, and bought the Windows version of the software from Ancestry in 2016.

Some 60,000 users are thought to have been exposed in this privacy snafu.

It’s one of many such incidents resulting from configuration errors on internet-connected computing resources. Last week, WizCase disclosed similar issues in multiple e-learning platforms exposing nearly one million records.

Research from earlier this month found the same misconfigurations put the security and privacy of countless users of global dating apps at risk.

What’s Hot on Infosecurity Magazine?