Ancestry’s RootsWeb Service Breached, 300,000 Records Exposed
An online forum hosted by genealogy website Ancestry.com has been hacked to the tune of some 300,000 records containing email addresses, usernames and passwords. Even so, the exposure’s fallout, said Ancestry, isn’t too bad, all things considered.
Here are the details: On December 20, an outside security researcher told the company that account information in a file on its RootsWeb server — which hosts a free, online forum widely used by people to share genealogical information — had been exposed. Ancestry subsequently confirmed the breach in a blog post.
The trove of vulnerable accounts were tied to RootsWeb.com’s surname list the company retired earlier this year, with about 50,000 records spanning both the forum’s and at least one of Ancestry’s sites. About 7,000 of the email and password combinations overlapped both the RootsWeb and existing paid Ancestry accounts, wrote Tony Blackham, Ancestry’s CISO, in a blog post.
“We believe the intrusion was limited to the RootsWeb surname list, where someone was able to create the file of older RootsWeb usernames and passwords as a direct result of how part of this open community was set up, an issue we are working to rectify,” he said.
Ancestry RootsWeb Breach: Minimal to No Impact?
So far, Ancestry hasn’t seen any obvious repercussions from the exposed records, Blackham said, although it’s not clear what he might notice one way or another. “We have no reason to believe that any Ancestry systems were compromised,” he said. In Ancestry’s favor, the RootsWeb server is separate from the infrastructure that supports Ancestry’s other brands and doesn’t house highly sensitive information such as credit card or social security numbers, the CISO said.
Ancestry is “in the process of informing all impacted customers and will also be working with regulators and law enforcement as appropriate,” Blackham said. The company has locked accounts belonging to Ancestry.com subscribers, required affected users to create new sign on data, and taken down the RootsWeb.com server to deal with the issue. In the meantime, Ancestry is also engaged in a post-mortem exercise. “We are doing a deep analysis of RootsWeb, its design and how we might be able to help the community enhance the site and its services. It is our desire to continue to host these tools for the community with appropriate safeguards in place,” Blackham said.
He then offered the same best practices cautions that security pros rightfully keep reminding users. “We always recommend that you take the time to evaluate your own security settings,” he said. “Please, never use the same username and password for multiple services or sites. And it’s generally good practice to use longer passwords and to change them regularly.”
Having started my family tree search using Rootsweb, long before Ancestry existed, I have always checked family data from Ancestry against what I find on Rootsweb. To not be able to access and doublecheck is frustrating indeed. Is there any hope of it returning anytime soon?