About 300,000 Ancestry.com members that use its RootsWeb genealogical community had their email/usernames and passwords compromised.
The initial breach was reported to the company by an outside security researcher on December 20 and the company has now released its own analysis of what took place. Ancestry.com confirmed that the file sent by the researcher did in fact contain member information and that a small number, about 1 percent, of the usernames and passwords for the free RootsWeb account were also used by the members for their paid Ancestry.com account.
“RootsWeb does not host sensitive information like credit card numbers or social security numbers, and is not supported by the same infrastructure as Ancestry’s other brands. We are in the process of informing all impacted customers and will also be working with regulators and law enforcement as appropriate,” Tony Blackham, Ancestry.com’s CISO said in a blog.
The company is contacting those affected and has already forced all RootsWeb members to reset their password. It has also taken RootsWeb offline to fix and the issue and enhance the site’s security. Ancestry.com is not certain if all the information contained in the forums will be salvageable.
“We are doing a deep analysis of RootsWeb, its design and how we might be able to help the community enhance the site and its services. It is our desire to continue to host these tools for the community with appropriate safeguards in place,” Blackham said.
The initial take on the breach is that about 245,000 of the accounts impacted were free versions created to access RootsWeb. Around 55,000 of the total number of credentials breached were for both a RootsWeb and at least one other Ancestry.com account.
Blackham said the RootsWeb infrastructure is separate from the system that operates Ancestry.com’s primary site and did not contain any additional critical information such as payment card data nor has the company seen any unauthorized activity on the exposed accounts.
“We believe the intrusion was limited to the RootsWeb surname list, where someone was able to create the file of older RootsWeb usernames and passwords as a direct result of how part of this open community was set up, an issue we are working to rectify. We have no reason to believe that any Ancestry systems were compromised,” Blackham said.