We all saw the bombastic headlines at the end of December claiming more than 300,000 Ancestry.com clients got their email addresses, usernames, and passwords leaked through an unsecured file on a RootsWeb server. Needless to say, the real story is far less dramatic and entails a much smaller security breach than stated in numerous online media. So, let’s look at all the events closely in a chronological order.
What Actually Happened?
On December 20th, 2017, Troy Hunt, a well-known security researcher from HaveBeenPwned.com, alarmed Ancestry.com’s security team of an unsecured file located on a RootsWeb server holding combinations of email addresses, usernames, and passwords, as well as RootsWeb.com server usernames. Ancestry.com reacted promptly and launched an investigation where its Information Security Team inspected the details of the said file and concluded that it contains the login data of users of Rootsweb’s surname list information, which is a service Ancestry.com retired earlier in 2017.
In case you’re unfamiliar with RootsWeb, it’s a community-driven and completely free collection of tools used by some individuals to host or share genealogical information. Ancestry hosted dedicated RootsWeb servers since 2000 as a favor to its community. In order to put some things into perspective and “deflate” the explosive security breach stories, we’ll inform you that RootsWeb doesn’t host any sensitive data like social security numbers or credit card numbers and doesn’t have the same support infrastructure like other brands under Ancestry’s corporate umbrella.
Ancestry also reviewed the file to check if the leaked account information overlapped with any of the existing accounts on Ancestry websites. During that process, the security team confirmed a very small amount of overlapping data, less than 1% of Ancestry’s total customer group. Those customers were contacted immediately. Note that this security breach only affected individuals who used the same personal account credentials on both Ancestry and RootsWeb, which is something every online security expert will caution you not to do.
The security leak affected around 55,000 clients who used the same account credentials at Ancestry and RootWeb’s surname list. This is a much smaller number than 300,000, as some other sources reported. Furthermore, if the affected individuals haven’t been using the same login information for both services, the leaked file couldn’t compromise their Ancestry accounts.
Ancestry’s reaction to the crisis was nothing short of impressive, as its security team immediately locked the compromised accounts and sent out emails to alert the affected clients of the situation. Contrary to some other media, we see this swift action to resolve something that wasn’t Ancestry’s fault to begin with as a true epitome of professionalism and dedication to its clients.