The way GEDmatch works you can enter any "kit number" and get a long list of matching people which has their kit number, name, email and some other basic information.
It sounds to me like hackers just managed to traverse the entire database to hunt for emails. Which is not exactly hard given how the site works.
Most kit numbers seem to be a letter and 6 numbers so not exactly hard to brute force either. You don't even have to get that many right as for any hit you might get a list of 1000+ people and use their kit numbers to get even more.
You might say that's a terrible design security-wise but that's what makes GEDmatch great for researching who you're related to. They'll either have to degrade the experience or be really stringent about rate limits and so forth.
It sounds to me like hackers just managed to traverse the entire database to hunt for emails. Which is not exactly hard given how the site works.
Most kit numbers seem to be a letter and 6 numbers so not exactly hard to brute force either. You don't even have to get that many right as for any hit you might get a list of 1000+ people and use their kit numbers to get even more.
You might say that's a terrible design security-wise but that's what makes GEDmatch great for researching who you're related to. They'll either have to degrade the experience or be really stringent about rate limits and so forth.