Genealogy has become one of the fastest-growing hobbies in North America, captivating millions of Americans eager to explore their ancestral roots. Valued at over $5 billion, the genealogy industry offers a range of tools—from DNA testing kits to digital family tree builders—that allow individuals to uncover relatives, trace migration patterns, and reconnect with their heritage. This journey into the past often brings a profound sense of identity and connection, making genealogy a warm and nostalgic experience for many.
However, while genealogy platforms feel personal and harmless, there is an important and often overlooked downside: the personal information shared on these sites can expose users and their families to significant security risks. The very data that helps you discover your great-grandparents can also be exploited by scammers who seek to steal identities or conduct fraud. Once personal details are uploaded online, they rarely remain confined to a single platform. Instead, they can spread widely across the internet, creating vulnerabilities that many users do not anticipate.
When building a family tree online, users typically provide a wealth of personal information. This includes names, birthdates, birthplaces, maiden names, marriage details, and sometimes even full biographies. While each piece of information might seem innocuous on its own, combined, they create detailed identity profiles—not only of the individual but of their entire family network. This comprehensive data is exactly what scammers and cybercriminals look for when attempting to impersonate someone or bypass security systems.
Many genealogy websites have default settings that make family trees public. Even when users set their accounts to private, there are multiple ways their data can still become accessible. For example, relatives may share information, or data might leak through other sources connected to the genealogy site. Over time, search engines may index this information, bots can scrape it, and data brokers can absorb it into their vast databases. This means that your family’s personal details can appear on people search websites, background check platforms, and marketing databases without your knowledge or consent.
Recent events have highlighted the risks involved in sharing genetic data through these services. The bankruptcy of 23andMe, one of the leading DNA testing companies, served as a stark reminder that user data does not simply vanish when a company changes ownership or closes. Genetic information, in particular, raises profound privacy concerns, but the broader genealogy ecosystem is equally vulnerable. When you upload multi-generational family details, you surrender control over how long this data is stored, who may access it, and where it might end up in the future. Trusting a company today does not guarantee your data’s safety tomorrow.
Cybercriminals have evolved beyond targeting simple financial information like credit card numbers. Now, they seek contextual personal details that enable them to convincingly impersonate individuals or bypass security protocols. Family tree websites provide a treasure trove of such information. Here are some of the key ways scammers exploit genealogy data:
First, many financial institutions still use knowledge-based authentication questions to verify identities. These questions—such as "What is your mother’s maiden name?" or "Where were you born?"—often have answers readily available on public family trees. With sufficient background information, scammers can bypass these security questions without needing passwords or other sensitive data.
Second, scammers can craft highly personalized emergency scams. For instance, a criminal who knows your family’s names and relationships might send a message pretending to be a relative in distress, such as: "Hi, Aunt Linda, it’s Jake. I’m stuck overseas and need help." Because the scammer's message includes accurate family details, it becomes more believable, making victims more likely to respond and send money or sensitive information.
Third, when one person’s genealogy data is exposed, it often leads to broader family-wide vulnerabilities. Scammers can map out entire family networks, identifying multiple relatives and launching coordinated phishing attacks against them. This multiplies the potential damage, turning a single data leak into a widespread security threat.
Data brokers exacerbate the problem by collecting and reselling personal information gathered from various sources, including genealogy websites. These brokers create detailed relational profiles that incorporate phone numbers, addresses, family ties, and other personal details. When genealogy data is scraped or sold to these brokers, it enhances the depth and accuracy of these profiles, making them even more valuable to marketers and criminals alike.
Many users believe privacy settings on genealogy platforms fully protect their information, but this is not the case. Once personal data spreads across multiple websites and databases, tracking and controlling its distribution becomes virtually impossible. Data brokers constantly update their records