Ancestry Had a Security Problem, Now Corrected

I normally don’t publish articles on weekends but this one incident is important enough to make an exception:

Ancestry was notified this week by a security researcher that the researcher had found a hole in Ancestry’s online security that affected a small number of Ancestry subscribers. A file containing email addresses/usernames and password combinations from a RootsWeb.com server was exposed to anyone who knew where to look for it. There is no evidence that any hacker or anyone else other than this one security researcher ever accessed the file.

The folks at Ancestry quickly fixed the problem.

According to a notice posted in the Ancestry Blog:

“Our Information Security Team reviewed the details of this file, and confirmed that it contains information related to users of Rootsweb’s surname list information, a service we retired earlier this year.”

The same notice also states:

“We also reviewed the RootsWeb file to see if any of the account information overlapped with existing accounts on Ancestry sites. We did confirm that a very small number of accounts – less than one percent of our total customer group – used the same account credentials on both Rootsweb and an Ancestry commercial site. We are currently contacting these customers.

“In all cases, any user whose account had its associated email/username and password included on the file has had their accounts locked and will need to create a new password the next time they visit.”

You can read the full security notice at: https://blogs.ancestry.com/ancestry/2017/12/23/rootsweb-security-update.

Here is my interpretation of the problem:

Leaving any file containing user IDs and passwords exposed to the public is always a bad thing. The security departments at most online sites, including Ancestry.com, spend a lot of time and effort making sure such breaches of security don’t happen. In this case, one problem slipped through. That’s regrettable.

Having said that, I also suspect this was a minor problem. Again, this only affects less than one percent of Ancestry’s total customer group.

So far as anyone knows, the only person to access that file probably was the one security researcher. These people are sometimes called “white hat hackers,” with the term “white hat” meaning they are the “good guys.” (Remember the old-time westerns? The good guys always wore white hats.)

If a “black hat” hacker did manage to access the one file, there is no evidence that he or she has ever used it for nefarious purposes.

Next, the Ancestry folks did the right thing (in my opinion):

1. They fixed the problem immediately.

2. They publicized the problem immediately to let everyone know, unlike some companies that have tried to hide their security problems. (I’m looking at you, Equifax!)

3. All users affected will need to create a new password they next time they log in.

Here is what you should do:

The only major issue I see is for anyone who uses the same password on other sites, such as a bank’s online access or a stock brokerage account. Security experts always tell everyone to never share passwords amongst multiple web sites yet we know that many people ignore such warnings and use one password in multiple places.

It is theoretically possible that a hacker perhaps did find the file (it was not in an obvious place) and may have extracted user names and passwords. If so, that hacker might now be trying to access bank accounts, stock brokerage accounts, and other sites that are attractive to hackers.

If you ignored the security warnings and did use the same password on multiple sites, you need to change your passwords on all those sites immediately.

And please, please do not use the same new password on all the sites!

16 Comments

I don’t use the same password for all my links, especially banks have there own security password, but knowing how easy to hack I change it & have security alert if anyone try’s to hack into my account. Genealogy is another I use separate passwords. I was told to do this in 1992 when I bought
my first used Mac.
Thank you for keeping everyone up to date and have a Merry Christmas.

Like

    their own…. means it belongs to you=== there own means PUT IT OVER===== THERE=== learned this when I was teaching 2nd grade ,,,,cuz one little girl’s mother had a boy friend who TAUGHT English…smile…and it was mentioned to ME…

    Like

Not fixed yet. I just tried to sign onto site. and it is DEAD. DOWN. says will be down until they fix it. Weeks oN END Again.
horrible service from ancestry when it comes to RootsWebAncestry.com site. 2:37 p.m. 12 23 2017.

Like

If the Rootsweb service had been retired so long ago, why were the addresses, etc. still within the system?

Like

    I don’t know of what they speak when they say it has been retired. I have several mailing lists on Rootsweb.com and they are still active. That is where my password is.

    Like

    Ancestry never said that all of RootsWeb had been retired, but only one of the services on RootsWeb is affected: “… users of Rootsweb’s SURNAME LIST INFORMATION, a service we retired earlier this year.”

    Like

I did receive SPAM from Rootsweb. I recognize SPAM and didn’t even open it, but sent it to my SPAM folder. It was at least all day before Ancestry let me know of the problem.

Like

server is still shut down and Ancestry didn’t send me email about the security problem because I already changed my pw for Ancestry side before it was discovered (hint – Equifax).
Because it’s holidays, Ancestry said it will be a while.
And reply to one poster – Rootsweb service was NEVER retired, being moved to new servers as well as operating systems being upgraded. Ancestry is NOT shutting down at all, just purging the unused features (Surhelp, Mailmerge are two features of several features not used.) and they are NOT moving free Rootsweb features into pay-for-access.

Like

It’s not corrected, Rootsweb is still down and our Genealogy Society website along with it!

Like

This evening, after reading Ancestry’s notice email and then following the link to create a new password, I get a message that Ancestry is unable to update my password. Trying to log directly into Ancestry, I get a message that my login credentials are invalid. Trying to call their customer support center, they are closed for the holiday.

Like

Well it was fortunate that it was found from within. And also that Ancestry did their duty and informed their members. Even though it is less than one percent I wonder how many people it affects. Ancestry must have millions of customers?

Like

I certainly hope all those websites will be back on line! There is a huge amount of valuable data there, and I am not sure how much Ancestry values it. For example, there is a huge database of Stamford (CT) families, that has been contributed to for 20 years, that is a go-to resource for Stamford descendants. Since these aren’t paid sites, how much priority does Ancestry put on it?

Like

Ancestry is NOT addressing this quickly. They expect Rootsweb to be down for several weeks while they work on it.

Like

I miss Rootsweb.

Like

I have had a database on RootsWeb WorldConnect for many may years, and I still cannot get to the RootsWeb website. I really miss being able to upload updates. Has Ancestry.com given any estimate for when RootsWeb will be back online?

Like

Oh, I see.
RootsWEB had a Security Problem, Not Corrected.
We need a topic for the RootsWEB problem, It is still an it is being discussed on this topic “Ancestry Had a Security Problem, Now Corrected”.

Like

Leave a Reply

Name and email address are required. Your email address will not be published.

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

w

Connecting to %s

You may use these HTML tags and attributes:

<a href="" title="" rel=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <pre> <q cite=""> <s> <strike> <strong> 

This site uses Akismet to reduce spam. Learn how your comment data is processed.

%d bloggers like this: