300K usernames and passwords exposed on Ancestry.com RootsWeb server

300K usernames and passwords exposed on Ancestry.com RootsWeb server

Ancestry.com has confirmed that a leaky server on RootsWeb, its free community-driven genealogical website, inadvertently exposed a file containing 300,000 usernames, email addresses and passwords online. In a statement issued over the weekend, Ancestry's chief information security officer Tony Blackham said a security researcher notified the company of the unsecured file on 20 December.

On a positive side, Ancestry.com did note that the exposed RootsWeb data did not include credit card numbers or social security numbers. The company added that it was in the process of informing customers of the data exposure, including Ancestry.com users who had used the same username/password combinations on both services.

What isn’t clear from the data breach disclosure is exactly how it came about. The company claims that “someone was able to create the file of older RootsWeb usernames and passwords as a direct result of how part of this open community was set up,” which could mean the data was accessed because of a security failure. But that doesn’t explain why someone external to the company would create a file with the data and then leave it sitting on the server.

"Though the file contained 300,000 email/usernames and passwords, through our analysis we were able to determine that only approximately 55,000 of these were used both on RootsWeb and one of the Ancestry sites, and the vast majority of those were from free trial or currently unused accounts," Blackham explained.


Although it may have been a case of hacking, it also could have been a case of accidental data exposure, something that became all too common in the second half of 2017. The company doesn’t state that the data was hosted on an Amazon Web Services Inc. server instance, but it is an AWS customer, saying in a press release in June that it was migrating all of its applications and data to AWS