I normally don’t publish articles on weekends but this one incident is important enough to make an exception:
Ancestry was notified this week by a security researcher that the researcher had found a hole in Ancestry’s online security that affected a small number of Ancestry subscribers. A file containing email addresses/usernames and password combinations from a RootsWeb.com server was exposed to anyone who knew where to look for it. There is no evidence that any hacker or anyone else other than this one security researcher ever accessed the file.
The folks at Ancestry quickly fixed the problem.
According to a notice posted in the Ancestry Blog:
“Our Information Security Team reviewed the details of this file, and confirmed that it contains information related to users of Rootsweb’s surname list information, a service we retired earlier this year.”
The same notice also states:
“We also reviewed the RootsWeb file to see if any of the account information overlapped with existing accounts on Ancestry sites. We did confirm that a very small number of accounts – less than one percent of our total customer group – used the same account credentials on both Rootsweb and an Ancestry commercial site. We are currently contacting these customers.
“In all cases, any user whose account had its associated email/username and password included on the file has had their accounts locked and will need to create a new password the next time they visit.”
You can read the full security notice at: https://blogs.ancestry.com/ancestry/2017/12/23/rootsweb-security-update.
Here is my interpretation of the problem:
Leaving any file containing user IDs and passwords exposed to the public is always a bad thing. The security departments at most online sites, including Ancestry.com, spend a lot of time and effort making sure such breaches of security don’t happen. In this case, one problem slipped through. That’s regrettable.
Having said that, I also suspect this was a minor problem. Again, this only affects less than one percent of Ancestry’s total customer group.
So far as anyone knows, the only person to access that file probably was the one security researcher. These people are sometimes called “white hat hackers,” with the term “white hat” meaning they are the “good guys.” (Remember the old-time westerns? The good guys always wore white hats.)
If a “black hat” hacker did manage to access the one file, there is no evidence that he or she has ever used it for nefarious purposes.
Next, the Ancestry folks did the right thing (in my opinion):
1. They fixed the problem immediately.
2. They publicized the problem immediately to let everyone know, unlike some companies that have tried to hide their security problems. (I’m looking at you, Equifax!)
3. All users affected will need to create a new password they next time they log in.
Here is what you should do:
The only major issue I see is for anyone who uses the same password on other sites, such as a bank’s online access or a stock brokerage account. Security experts always tell everyone to never share passwords amongst multiple web sites yet we know that many people ignore such warnings and use one password in multiple places.
It is theoretically possible that a hacker perhaps did find the file (it was not in an obvious place) and may have extracted user names and passwords. If so, that hacker might now be trying to access bank accounts, stock brokerage accounts, and other sites that are attractive to hackers.
If you ignored the security warnings and did use the same password on multiple sites, you need to change your passwords on all those sites immediately.
And please, please do not use the same new password on all the sites!