The ancestry and family tree website Ancestry.com revealed last week that data on 300,000 users, including email addresses, usernames, and passwords, was publicly exposed on one of its servers. Tony Blackham, the company’s Chief Information Security Officer, issued a statement shortly before the Christmas holiday noting that the user data was in a file publicly exposed on a server for RootsWeb, Ancestry.com’s community-driven genealogy site.
In a post discussing the leak, Blackham wrote that “the vast majority of those were from free trial or currently unused accounts,” however, the data from roughly 55,000 users was also used on other Ancestry sites. In the worst cases, around 7,000 leaked email/password combinations were found to have matched the credentials for active Ancestry customers.
As a service, RootsWeb is often used by members for sharing their family trees and conversing on the site’s message boards. During the week, Ancestry.com admitted that it believes the user data had been exposed since November 2015, but that it was only stored on RootsWeb servers, and wasn’t connected to any of the company’s other sites. Similarly, RootsWeb never hosted credit card information or users’ social security numbers.
The company didn’t go into specifics on how or why the server wasn’t secured, but it said that there had been no signs that a malicious third party had accessed the data. The RootsWeb site was taken offline during the week as part of an investigation, with the company noting that it would be sometime before its services were restored.
“We believe the intrusion was limited to the RootsWeb surname list, where someone was able to create the file of older RootsWeb usernames and passwords as a direct result of how part of this open community was set up, an issue we are working to rectify,” said Blackham. “This issue involves less than one percent of our users, so there is a very good chance your account wasn’t involved.”
Along with notifying users by email, 55,000 of the affected accounts will locked, forcing those users to create a new password.
SOURCE Threat Post