300,000 Users Exposed In Ancestry.com Data Leak

Dangerous_Minds shares a report from ThreatPost: Ancestry.com said it closed portions of its community-driven genealogy site RootsWeb as it investigated a leaky server that exposed 300,000 passwords, email addresses and usernames to the public internet. In a statement issued over the weekend, Chief Information Security Officer of Ancestry.com Tony Blackham said a file containing the user data was publicly exposed on a RootsWeb server. On Wednesday, Ancestry.com told Threatpost it believed the data was exposed on November 2015. The data resided on RootsWeb's infrastructure, and is not linked to Ancestry.com's site and services. Ancestry.com said RootsWeb has "millions" of members who use the site to share family trees, post user-contributed databases and host thousands of messaging boards. The company said RootsWeb doesn't host sensitive information such as credit card data or social security numbers. It added, there are no indications data exposed to the public internet has been accessed by a malicious third party. The company declined to specify how and why the data was stored insecurely on the server. "Approximately 55,000 of these were used both on RootsWeb and one of the Ancestry sites, and the vast majority of those were from free trial or currently unused accounts. Additionally, we found that about 7,000 of those password and email address combinations matched credentials for active Ancestry customers," Blackham wrote.

November 2015

[sdinfoserv]

What is this, jump on the "we exposed data" bandwagon... but seriously, for Christ sake, this is over 2 years ago. It makes you look stupid, inept or nefarious for failing to report for so long.

Re:November 2015

[CaptainDork]

Because transparency.

Re: November 2015

[LifesABeach]

Another data breach? This is my surprised look on my face.

Re: November 2015

[CaptainDork]

This is my surprised look on my face that you have a surprised look on your face. lol

Re: November 2015

[LifesABeach]

It's now cheaper to get a credit check on the Dark Web than to pay Equifax.

Re: November 2015

[CaptainDork]

True. I keep looking at haveibeenpwned to see if I'm alive.

My "MySpace" account cot hacked.

Bastards.

Go figure

Leave it to the Morons, er Mormons... to fuck it up.

Re:Go figure

Ancestry.com is not in any way affiliated with the The Church of Jesus Christ of Latter-day Saints (the "Mormons"). The genealogy site that IS affiliated with the LDS Church is FamilySearch.org which has nothing to do with this article.

Re:Go figure

It's a UTah-based company, therefore run by Mormons. The Mormons, as you are undoubtedly aware, exist to gather genealogical data because they baptise the dead after the fact. They believe that all people can become Mormons either in this life or the next. And, yes, they are a cult.

Re:Go figure

familysearch.org is run by the church itself. Ancestry.com is run by church members who want to make mint out of it.

Re:Go figure

Your original statement is like saying "leave it to the Catholics to screw it up" every time a company in Rhode Island has a data breach, or "leave it to the Baptists to screw it up" every time something goes wrong with a company in the Bible Belt, as there would typically be many believers of those religions working for any company in those locations. I simply pointed out the fact that Ancestry.com is in no way affiliated with the LDS church and "the Mormons" as a group had nothing to do with this data leak, as you falsely implied.

I live in Utah and am a "Mormon" (a member of The Church of Jesus Christ of Latter-day Saints), so trying to educate me about what my state is like or about the LDS Church "cult" might not be the best use of your time. If I weren't Mormon and wanted to know about the Church or what Mormons believe, I would be much better served by reading on the official Mormon.org website or by talking with members of the LDS Church than by listening to anonymous people pretending to know all about it and making derogatory comments on slashdot articles, or any other unreliable second-hand source.

Re:Go figure

Ancestry.com is owned by Permira, a European private equity firm that bought the company several years ago. Due to its location there are obviously many members of the LDS church who work there, just as there would be many Catholics and Baptists working for just about any large corporation located in most parts of Texas. There are also many people of other faiths or no religious affiliation at all that work at the company. And none of this has anything to do with the fact that the original post was just someone being a bigot.

Re:Go figure

[MightyMartian]

When you were taught logical fallacies, I think you may have been mistaken in imagining that they were good things.

Your an idiot if

you use a DNA collecting service in the first place. Data leak...wink wink...whatever you have to label it to keep people from asking questions. "Pssst, leave a crack open." The three letter agency biometrics bank will always try to collect in anyway they can and not give a damn.

Re:Your an idiot if

This is the roots web part, not the dna part.

Re:Your an idiot if

Yes, but as stated in the summary, 55,000 of the leaked rootsweb credentials had matching credentials on the ancestry part, and 7000 of those are actively-used current accounts. Probably at least a portion of the 55,000 use or have used the DNA part of ancestry. DNA has been all the rage at genealogy shows and conferences the past few years.

unhashed passwords?

"According to a tweet by Hunt the publicly exposed data contained plain text passwords."

How in the fucking world does this still fucking happen?

Re: unhashed passwords?

I wonder how many more companies are stuck in the past. I don't even use passwords anymore. Just post AC.

Why passwords?

No server anywhere should be storing user passwords, just salted hashes.
Who are these people out there setting up systems that store passwords, and how can we get them fired?

Terrible news!

The importing to remember is that there was no collusion. And even if there was, collusion is not illegal!

Mother's maiden name?

[apparently]

The company said RootsWeb doesn't host sensitive information such as credit card data or social security numbers.

Yeah, nothing sensitive and unchangeable such as a giant database of everyone's mother's maiden name, which is never ever used to "protect" access to credit card data.

Re: Mother's maiden name?

That data already got leaked in the Equifax hack.

Re:Mother's maiden name?

Any bank still using mother's maiden name to protect access to credit cards is sorely behind the times. There are dozens of online "background check" and "people finder" websites that allow free access to information (including known family relationships) scraped from various public records, marketing databases, etc. Not to mention that most of the population has a facebook account with weak privacy settings such that it is easy to see who their mother is, and pretty often the mother has her maiden name listed in parenthesis so her old hometown friends can find her. Mother's maiden name isn't much of a secret these days.

Re:Mother's maiden name?

If mother is dead her maiden name will be public by default on most genealogy sites. I can't believe companies still use this as a secret.

Not the first time they leaked

[Que_Ball]

I'm not surprised that they lost data.  It's not even the first time.

I signed up ages ago with a unique email address in 2007 only used to sign up for their service with all partner offers and marketing choices if there were any set to no.  Format of user-randomstring@domain.com

I started getting spam to their unique tag years ago so they lost data before.  I may have kept a sample of the first spam but I think it was in 2008-2009 timeframe.

Genome

Ancestry has info about customers' genomes too

Its just their DNA

[WillAffleckUW]

I'm sure they can easily change that.

Re:Its just their DNA

With enough radiation, anything is possible.

Re:Its just their DNA

This was the roots web component, not the dna component.

Re:Its just their DNA

But there were 55,000 credentials shared between the rootsweb component and the main ancestry component. Likely some of those have used the DNA service. For some reason it is pretty popular these days. For ONLY $99 bucks or so you can find out what you already knew: that you are predominantly of western european descent with a small fraction of ancestors from other areas mixed in, for example. And thus your DNA enters the commercial sector, which is largely unregulated, and when they don't keep the data secure it ends up who-knows-where. And since much of your family-members' DNA is determinable by your DNA, they can thank you for also affecting them.

Don't use ancestry.com

It's run by the Mormons.

Re:Don't use ancestry.com

Ancestry.com is owned by Permira, a European private equity firm that bought the company several years ago. Due to its location there are obviously many members of the LDS church who work there, just as there would be many Catholics and Baptists working for just about any large corporation located in most parts of Texas. There are also many people of other faiths or no religious affiliation at all that work at the company. And none of this has anything to do with the fact that the original post was just someone being a bigot..

Now I know who to kill for my liver transplant !

[Btrot69]

Mwa-ha-ha-haaaa !
Just kidding (for now) . . .
It is inevitable that genetic databases will be used by desperate rich people needing transplants.

I was thinking about sending in my sample anonymously . . .
Then, I realized that I would be easily identified from my family who had sent in samples ;(

I was thinking the same thing!

[www.sorehands.com]

Why would anyone design a system that actually stores the password? You hash the password, destroy the password, then move on.

Maybe it is too hard to write a hash because there are none available in libraries.....oh ....never mind.

Re:Now I know who to kill for my liver transplant

[Ol+Olsoc]

Mwa-ha-ha-haaaa ! Just kidding (for now) . . . It is inevitable that genetic databases will be used by desperate rich people needing transplants.

I was thinking about sending in my sample anonymously . . . Then, I realized that I would be easily identified from my family who had sent in samples ;(

Don't forget law enforcement. Even if they couldn't use DNA evidence directly, if a match comes up, you can use parallel construction so you know exactly who you want to go after. They would love as many DNA samples as they can get.

Re:Now I know who to kill for my liver transplant

[DivineKnight]

There's that, plus the ability to pin a crime on anyone in a (half-decent) DNA database. Why? Because scientists are getting really good at creating DNA (and what have you) from recipes (electronic encoded information).

Just throw some DNA in the CRISPR, wait a day or two, and you have DNA evidence!

Re:Now I know who to kill for my liver transplant

[AHuxley]

1+ for federal law enforcement needing DNA from kin without going anywhere legal near their suspect.
Dont want to go into local small town courts, gov, look at paper records in fly over country? Mentioning names and looking for records? That town worker might gossip about the DoJ asking for paperwork on well respected locals.
Do it digitally and get the DNA needed from one person near the suspect. No need to drive and fly out too many times to get records and risk questions by locals.
Just one time to get the actual sample from kin without anyone knowing. Keeps the secret of who is been looked at a more of secret as nobody has done any data requests on that name.

Re:Now I know who to kill for my liver transplant

[AHuxley]

Re "plus the ability to pin a crime on anyone in a (half-decent) DNA database."
The other issue is that of low and mid ranking DoJ doing DNA work and the resulting random US wide federal database results.
Say a person did something bad in the 1970's. DNA is fully recovered from a stamp, letter related to the crime in 2017.
Put the new results of advance DNA recovery into some federal database and see if anyone related is in the US federal criminal/mil/federal DNA system.
Get some new names and start searching federal databases. Who was who in 1970's and if that interesting person is still alive.

Suddenly the investigative team is looking some part of the extended family of a well respected state/federal judge in 1950-70's. That family has now advanced up the US political power structure a generation or two later.
The crime was was never expected to be reopened.
The investigative team induces FBI database search protections that protected lists of powerful names from been investigation by low ranking bribed officials.
Enter the wrong name and the police who went searching get investigated.
By using the private sector until the actual names are discovered, its much more easy to keep case work from been questioned internally.
DNA is wonderful to solve a decades of working class crime. A much more powerful family may not like their past been openly investigated.

Re:Now I know who to kill for my liver transplant

If you are committing crimes that law enforcement sees fit to use DNA to solve, I'm kinda fine with them using it for parallel construction.

Solid points, good sir.

When you talk about how collusion didn't happen, and even if it did, collusion isn't illegal, you are talking common sence. And you know democrat party did collusion! Much much collusion in democrat party. Everyone is talking about it. Many people! In summary, there was no collusion and it isn't illegal! Also democrat party colluded with russia so investigate them! Fire biased shillary muller guy!

Well they have your mother's maiden name

Think about that for a moment

Does Ancestery sell data to health insurers?

[Streetlight]

Perhaps a bit off topic, but the company may make some profit by selling your DNA data to health insurers. Not sure if this is true. One of the provisions of the Affordable Care Act (Obama care) is that insurers can't deny coverage due to a previous condition. Knowledge of a genetic disposition for some condition that might be expensive to treat would be useful to insurers if the ACA goes away as some members of Congress want.

Re:Now I know who to kill for my liver transplant

Once DNA tests are mobile enough to be done on-site in a few minutes, there may be very few types of crimes (even minor infractions) that law enforcement won't see fit to use DNA to "solve."