• by Ray Schultz , December 28, 2017

Ancestry.com has suffered a data leak consisting of 300,000 email addresses, user names and password combinations, according to a blog post by Tony Blackham, chief information security officer at the family history firm.  

The company’s security team was alerted when a researcher found a file containing personal data on Ancestry.com customers on a RootsWeb.com server. Roots.com, a service hosted by Ancestry.com since 2000, is a free set of tools used by people seeking and sharing genealogical information.

Ancestry states that "Our Information Security Team reviewed the details of this file, and confirmed that it contains information related to users of RootsWeb’s surname list information, a service we retired earlier this year." 

According to IBTimes, security expert Troy Hunt, creator of the "HaveIBeenPwned.com" data breach repository, notified the firm of the 2015 data compromise.

In reaction to this incident, Ancestry has locked the accounts of the 55,000 affected users until they revise their passwords, and it has sent emails to those consumers. However, it has seen “no activity that indicates these accounts have been compromised,” Blackham says in the post issued last weekend.

The file contained 300,000 email/usernames and passwords, but Ancestry determined that “only approximately 55,000 of these were used both on RootsWeb and one of the Ancestry sites, and the vast majority of those were from free trial or currently unused accounts,” Blackham adds.

It also found that “about 7,000 of those password and email address combinations matched credentials for active Ancestry customers. 

Ancestry “reviewed the RootsWeb file to see if any of the account information overlapped with existing accounts on Ancestry sites,” Blackham continues.

Its conclusion: “We did confirm that a very small number of accounts -- less than one percent of our total customer group -- used the same account credentials on both RootsWeb and an Ancestry commercial site. We are currently contacting these customers."

Blackham assures account holders that “this issue involves less than one percent of our users, so there is a very good chance your account wasn’t involved.” And it notes that RootsWeb does not host sensitive information like credit card numbers or social security numbers, and is not supported by the same infrastructure as Ancestry’s other brands.

The company is also conducting a “deep analysis” of RootsWeb and its design, Blackham states.