Content, Governance, Risk and Compliance, Breach

Ancestry’s RootsWeb Service Breached, 300,000 Records Exposed

Tony Blackham
Tony Blackham

An online forum hosted by genealogy website Ancestry.com has been hacked to the tune of some 300,000 records containing email addresses, usernames and passwords. Even so, the exposure’s fallout, said Ancestry, isn’t too bad, all things considered.

Here are the details: On December 20, an outside security researcher told the company that account information in a file on its RootsWeb server -- which hosts a free, online forum widely used by people to share genealogical information -- had been exposed. Ancestry subsequently confirmed the breach in a blog post.

The trove of vulnerable accounts were tied to RootsWeb.com’s surname list the company retired earlier this year, with about 50,000 records spanning both the forum’s and at least one of Ancestry’s sites. About 7,000 of the email and password combinations overlapped both the RootsWeb and existing paid Ancestry accounts, wrote Tony Blackham, Ancestry’s CISO, in a blog post.

“We believe the intrusion was limited to the RootsWeb surname list, where someone was able to create the file of older RootsWeb usernames and passwords as a direct result of how part of this open community was set up, an issue we are working to rectify,” he said.

Ancestry RootsWeb Breach: Minimal to No Impact?

So far, Ancestry hasn’t seen any obvious repercussions from the exposed records, Blackham said, although it’s not clear what he might notice one way or another. “We have no reason to believe that any Ancestry systems were compromised,” he said. In Ancestry’s favor, the RootsWeb server is separate from the infrastructure that supports Ancestry’s other brands and doesn’t house highly sensitive information such as credit card or social security numbers, the CISO said.

Ancestry is “in the process of informing all impacted customers and will also be working with regulators and law enforcement as appropriate,” Blackham said. The company has locked accounts belonging to Ancestry.com subscribers, required affected users to create new sign on data, and taken down the RootsWeb.com server to deal with the issue. In the meantime, Ancestry is also engaged in a post-mortem exercise. “We are doing a deep analysis of RootsWeb, its design and how we might be able to help the community enhance the site and its services. It is our desire to continue to host these tools for the community with appropriate safeguards in place,” Blackham said.

He then offered the same best practices cautions that security pros rightfully keep reminding users. “We always recommend that you take the time to evaluate your own security settings,” he said. “Please, never use the same username and password for multiple services or sites. And it’s generally good practice to use longer passwords and to change them regularly.”

D. Howard Kass

D. Howard Kass is a contributing editor to MSSP Alert. He brings a career in journalism and market research to the role. He has served as CRN News Editor, Dataquest Channel Analyst, and West Coast Senior Contributing Editor at Channelnomics. As the CEO of The Viewpoint Group, he led groundbreaking market research.

You can skip this ad in 5 seconds