A data breach has exposed the login credentials belonging to 300,000 users of RootsWeb, a service owned and sponsored by Ancestry.com.
On 4 December 2017, someone posted a file containing the usernames and plaintext passwords of 300,000 users to a hacker forum. An analysis of the dump, which was still available for download as of 27 December 2017, suggests the hackers infiltrated the domain rsl[dot]rootsweb[dot]ancestry[dot]com. They then stole the information from a server maintained by Ancestry.com for RootsWeb, a free online genealogical community which allows members to participate in mailing lists and message boards.
As reported by HackRead, independent security researcher Troy Hunt ultimately found the data dump. His investigation indicates that the breach occurred in 2015 and that Ancestry.com was unaware of the incident at the time. So he reached out to the for-profit genealogy company and gave them the file.
New breach: Ancestry service "RootsWeb" had almost 300k email addresses and plain text passwords compromised in 2015. 57% were already in @haveibeenpwned. Read more: https://t.co/gSOwv23poS
— Have I been pwned? (@haveibeenpwned) December 24, 2017
Ancestry.com’s information security team subsequently reviewed the file and determined that the information contained therein was legitimate. Tony Blackham, CISO of the service, explains more of what the security personnel found:
Though the file contained 300,000 email/usernames and passwords, through our analysis we were able to determine that only approximately 55,000 of these were used both on RootsWeb and one of the Ancestry sites, and the vast majority of those were from free trial or currently unused accounts. Additionally, we found that about 7,000 of those password and email address combinations matched credentials for active Ancestry customers. As part of our investigation, our team also uncovered other usernames that were present on the RootsWeb server that, though not on the file shared with us, we reasonably believe could have been exposed externally. We are taking the additional step of informing those users as well.
We believe the intrusion was limited to the RootsWeb surname list, where someone was able to create the file of older RootsWeb usernames and passwords as a direct result of how part of this open community was set up, an issue we are working to rectify.
Blackham goes on to note that he has no reason to believe any Ancestry systems were compromised. He also reassured those affected by the breach that sensitive information including their financial data and Social Security Numbers are safe.
In response to the breach, Ancestry.com has temporarily taken RootsWeb offline while it works to make sure all user data is “safe and preserved.” It’s also locked all 55,000 Ancestry.com users affected by the RootsWeb breach and notified them of the incident. Those users must change their passwords if they wish to regain access to their accounts.
Those affected by the breach can use these experts’ advice to create a strong, unique password for their Ancestry.com profile and other web profiles.
Meanwhile, the genealogical service has said it will continue to work with regulators and law enforcement to investigate the breach and minimize its impact.