Ancestry.com said it closed portions of its community-driven genealogy site RootsWeb as it investigated a leaky server that exposed 300,000 passwords, email addresses and usernames to the public internet.
In a statement issued over the weekend, Chief Information Security Officer of Ancestry.com Tony Blackham said a file containing the user data was publicly exposed on a RootsWeb server.
“Approximately 55,000 of these were used both on RootsWeb and one of the Ancestry sites, and the vast majority of those were from free trial or currently unused accounts. Additionally, we found that about 7,000 of those password and email address combinations matched credentials for active Ancestry customers,” Blackham wrote.
On Wednesday, Ancestry.com told Threatpost it believed the data was exposed on November 2015. The data resided on RootsWeb’s infrastructure, and is not linked to Ancestry.com’s site and services. Ancestry.com said RootsWeb has “millions” of members who use the site to share family trees, post user-contributed databases and host thousands of messaging boards.
The company said RootsWeb doesn’t host sensitive information such as credit card data or social security numbers. It added, there are no indications data exposed to the public internet has been accessed by a malicious third party. The company declined to specify how and why the data was stored insecurely on the server.
Another data breach from years ago, this time from one of @Ancestry's services. Really impressed with the way they handled this: I got in touch with them bang on 72 hours ago and they've handled it in an exemplary fashion https://t.co/9qo7LIUQy4
— Troy Hunt (@troyhunt) December 23, 2017
The exposure of data was first brought to Ancestry.com’s attention on Dec. 20 when Troy Hunt, who runs the data breach repository HaveIBeenPwned.com, reported to the company the existence of the file on RootsWeb’s server.
According to a tweet by Hunt the publicly exposed data contained plain text passwords.
“Our Information Security Team reviewed the details of this file, and confirmed that it contains information related to users of Rootsweb’s surname list information, a service we retired earlier this year,” Blackham said.
The company said as it investigates some of RootsWeb’s services would be taken offline. On Wednesday, visitors were greeted with the message:
“Rootsweb is currently unavailable. We have been in the process of improving the site throughout 2017, and as a result of an issue we recently became aware of, we have taken the site offline while we work to resolve it.”
Customers were told as a result of some sections of RootsWeb being taken offline it “may not be able to salvage everything” as Ancestry.com works to resolve this issue and “improve the site’s infrastructure.”
Ancestry.com declined to say how long the site would have limited functionality. However, in a comment section of Ancestry.com a company representative told a customer: “We do not have a specific timeline at this point. We hope it will take no more than a few weeks to resolve these issues.”
Blackham said 55,000 impacted accounts will be “locked” and users trying to access them will be forced to create a new password. Affected users will also be notified by email of the user data exposure.
“We believe the intrusion was limited to the RootsWeb surname list, where someone was able to create the file of older RootsWeb usernames and passwords as a direct result of how part of this open community was set up, an issue we are working to rectify,” Blackham said. “This issue involves less than one percent of our users, so there is a very good chance your account wasn’t involved.”
Over the past several days RootsWeb users have peppered Blackham’s security update blog post with passionate requests to preserve user data and return functionality.
“I use several Rootsweb sites daily for my research and various others on a regular basis. PLEASE restore access soon!” wrote a user named Heather.
Ancestry.com joins a long list of companies that have fallen victim to a leaky server that has inadvertently exposed sensitive company information to the public internet in 2017.