Part of RootsWeb to go offline
The folks at Ancestry have taken a proactive security step of closing part of the RootsWeb service today after being notified of a security breach affecting one part of the RootsWeb service.
The security issue came from a part of RootsWeb that was closed some months ago. It turns out that, before it was closed, a security breach occurred — nobody knows exactly how — that resulted in the disclosure of about 300,000 username-password combinations from RootsWeb.
Of those, some 55,000 username-password combinations were the same as or similar to those of people who have also been Ancestry subscribers and/or purchasers of DNA kits. And of those, some 7,000 username-password combinations are still in active use at either Ancestry or AncestryDNA.
All of the active users will be notified by email and all will be required to set a new password the next time they log in to Ancestry.
Eric Heath, chief privacy officer at Ancestry, said that a thorough security check has not shown any evidence whatsoever of active exploitation of the data. No unusual activity at Ancestry and no breach of DNA data has been detected at all. Nobody can log in to RootsWeb and get access to Ancestry or AncestryDNA.
However, out of an abundance of caution, all parts of RootsWeb that might be impacted will be shuttered temporarily until a full security review can be completed and the service resumed with full confidence in the security of the domain.
The one part of RootsWeb that won’t be affected are the email lists. But folks with private or public family sites and the like will not be able to access them during the shutdown.
Heath wasn’t able to give an estimate on how long it might take to get all of RootsWeb back up and running, noting that the two priorities will be protecting the privacy of users and avoiding data loss on RootsWeb during the shutdown. Those tasks, particularly over the holiday period, may take longer than anyone wants but won’t be shorted just to get the service back online.
“Our first interest is the protection of our users,” Heath said. “That comes before anything else.”
If your log-in info was affected, you will get an email from Ancestry at the email address associated with your Ancestry or AncestryDNA account. If your email isn’t up to date, you may find out about this when you try to log in and are told you must reset your password.
And for more information, there’s a blog post at Ancestry.
Merry Christmas from the hackers…
I realize when this happens over the holidays that recovery will likely not be a quick one, but is there any estimate on time?
As the blog post says, “Heath wasn’t able to give an estimate on how long it might take to get all of RootsWeb back up and running…”
IT DOES AFFECT EMAIL and other user created input fields – it seems any profile field has any alphanumeric matches will disallow beyond the owners name. Entry into the subscription locks up the Ancestry.com browser function. Only exit and restart are options.
As you note (and I will repeat this to all of your many comments here), “Ancestry says now it is their issue.”
This is totally horrible of Ancestry. First, it’s an indication that they store your password either in textual form or in a decryptable manner.
Any company handling userids and passwords should know that passwords must be stored hashed in a way that you can only used the stored hash to check that a password is correct and you cannot derive the password back from the stored hashcode. This is called one-way encryption.
If the passwords are not stored that way, then any employee at Ancestry who has access to the login information database can easily see or compute everyone’s passwords. The information stating that they “reviewed the RootsWeb file” to see if the same account credentials were used on Ancestry sites has me really worried that they’re storing the passwords the wrong way on Ancestry as well.
This is a major transgression on Ancestry’s part that they must fix right away. It’s a security hole that no company that cares for its customers would leave open.
Louis, RootsWeb is a very very old part of the system, acquired by Ancestry late in its life. So it’s not surprising that it ran into security issues and they’re being thoroughly addressed.
You’re missing my point, Judy. If Ancestry was able to compare the passwords on Rootsweb with those on Ancestry, then they’ve got a big security problem on the main Ancestry site that needs to be fixed.
What Yvette said. This is standard procedure.
So then WHY if it is very old do they suddenly have a “security breach”? Sounds as if they mismanaged the site, right? This didn’t happen before…
Hackers are pretty relentless in trying to find security holes and sometimes we just don’t know what those holes are until somebody finds them. More than that, in terms of why… you’d have to ask the hackers! 🙂
Ancestry acquired Rootsweb in June 2000 and has had full control of it ever since then. They could and should have identified and addressed security issues with passwords, etc. sometime within the last 17 years. They did not. – Why? I feel it is because they hold an aggressive approach to buying up or licensing and altering all formerly free aspects of the genealogy market. They didn’t intend to keep the free sites around forever. They are working hard at monetizing every source out there that genealogists formerly had available to them for free. And yes in this day and age security issues are more serious than ever before, but they are busy monetizing! Now that they have more money from their profitable DNA testing and can afford hugely successful marketing campaigns they are off and running.
As I write this, it has been 2 weeks since their security blog post. RootsWeb and the invaluable WorldConnect gedcoms are still not back. There have been no updates and no emails from them. – Family tree researchers should know by now that the genealogy world has changed and that the hard work they did in their research and posting of family tree information has been usurped by ancestry,com. I and others are now struggling to determine the best way to put our work out there to be available for others in a useable, safe, free way. But access to reliable free sources is being shut off.
I guess we need to get philosophical about it – at least if people can afford to pay for access, it is still there. But many researchers are on fixed incomes, like the soon to be defunct social security.
I and others have suspicions that if Rootsweb and WorldConnect do come back their “enhancements” will involve a road to further monetizing their own business. I suspect the sources and notes sections of all those WorldConnect gedcoms will be stripped. Without it, the data is almost useless as future genealogists will not be able to determine what is reliable information or not. They will have to go to ancestry or its affiliates to pay.
I did much of my work, as did others, in the wild west days of the early internet, where ingenuity was in abundance.
There was a time when the power of the mind was more important than the power of the pocket book. That time has changed and is no more.
The reality of internet information is that somebody has to pay the bills. We realistically can’t expect access to bandwidth to be free. That doesn’t excuse the problem, nor the lack of a solution. But there really is no such thing as a free lunch.
So, I must say that there not being “a free lunch” has nothing to do with this particular issue. Ancestry bought a resource which was FREE and created for the sole purpose of sharing research amongst all people, novice through advanced genealogists. What was the purpose of buying such a free resource? They have never charged anyone for access, nor shut it down, so obviously they either bought it to keep it from growing or to be acquired by someone else to challenge their position. I suspect the former, and so they allowed the site to remain “as-is” and purposely neglected it. There is where the fault lies, and the lesson here is if you buy something and it involves hundreds of thousands of peoples’ personal information, you have a responsibility to PROTECT their information, just like any other organization in the world. You don’t simply get to throw up your hands and say, “My bad since we don’t charge anything!”
Nobody is defending the data breach. But expecting that something that began free (and soon became sponsored, by Palladium Interactive, publisher of Ultimate Family Tree software) to remain free is simply unrealistic. Any of us who ever had data on RootsWeb — or who rely on data that’s there — need to think about how we can ensure that it remains available without expecting to have free resources forever.
Years ago I had a month subscription on Ancestry. I started to notice my search history included searches I had not done for names I would have never searched and there were items in my Shoebox that were not mine. At that time I logged out every time and I had signed in at times I never did. I called Ancestry and said someone was using my account. They were not at all interested. At the time I wondered if employees were using accounts or selling ID and passwords. I was truly shocked at their lack of interest. I of course changed my password and it stopped. I didn’t have a paying subscription for years after that.
That certainly must have been a concern but, as you say, once you changed your password it stopped. That’s a good thing!
Karen- this has nothing to do with Rootsweb or Ancestry but has relevance. Last Christmas, I used my credit card and made a lot of purchases (something I don’t normally do). They put a freeze on my account but called my home phone so I didn’t know. I looked at my bill and phoned them and said I never bought the last five items. After some arguing, they realized the purchases were made AFTER the freeze. Investigation proved it was one of their own employees who saw me making charges and jumped in. You’re correct; not every employee is honest.
Just to be clear, however, this was NOT on Ancestry or RootsWeb.
Not true. They can compare the hashes to see if the same password was probably used, without knowing the password itself. That’s standard operating procedure during a data breach and the responsible thing to do.
Hashes – mine are 8-9 asterisks in which never matches alphanumeric input – their text instruction shows only lower-case. Though I was warned it must have at least one Number and one Capital letter – I have one only 6 alphanumeric and another helpline person input themselves. Which is correct for the User security?
As you note (and I will repeat this to all of your many comments here), “Ancestry says now it is their issue.”
I have confidence that Ancestry will resolve the issue. It seems they’re very proactive.
Pro-active is a façade, sent me 3 pages of exercises, fix pop-ups, change browser’s, use Print Key and paste image onto the Chat Page, (crashed my computer), clean and fix HD, remove temp files etc. All useless BS mentioned by another.
As you note (and I will repeat this to all of your many comments here), “Ancestry says now it is their issue.”
If “Our first interest is the protection of our users,” Heath said. “That comes before anything else.” is true, why weren’t we notified back when the breach was discovered…not months later?
You misunderstood: the breach was only discovered on December 20 and verified thereafter. The action, including notification, was within hours of verifying the breach.
Judy, I can’t access the mailing list archives. http://archiver.rootsweb.ancestry.com/th/index/BLEVINS/
The mailing lists aren’t supposed to be affected, Jillaine. I’ll pass your comment along (but it won’t get fixed until after the holiday, I’m sure).
“disclosure of about 300,000 username-password combinations from RootsWeb”
That doesn’t sound like a “minor” breach to me.
Only a handful (comparatively) are still active, and that’s what’s critical. Not to minimize it for those impacted but in the grand scheme of data breaches (think “Equifax”)… yes, minor.
We don’t know how many of those 300,000 username-password combinations are still active. Many of the username-password combinations are undoubtedly still being used on other websites but there’s no way for Ancestry to know.
Yep, and I won’t even comment on how dumb it is to use the same username-password combo at multiple websites.
Right. It is very bad policy to use the same username and password at multiple sites, however many people do this. The biggest problem I have in the way Ancestry is handling this is that if someone isn’t an active Ancestry customer or doesn’t use the same password on Rootsweb and Ancestry, then they’re not notified. What if someone doesn’t have an Ancestry account at all but still uses their Rootsweb username and password at other sites? They’re not notified so their accounts at other sites, including potentially their online banking accounts, could be compromised. Yes, it is bad policy to use the same username/password combinations at multiple sites, especially at sites that need to be secure such as online banking, but I guarantee you that some people that do will not be notified of this breach.
Individual may have one or more accounts due to trial and renewals as I have over 60 plus years. A renewal subscription completed and worked until DEC 28th. Each search defaults to the expired profile created by Genealogy.com but is locked into a new add to subscribe which also blocks the two month old subscription. I notified Ancestry HQ at Lehi, Utah Tony Blackham, security officer and again their Chat Room Expert or Pro yesterday finally wrote dilemma, both given instructions to resolve this issue. I have spent at least 40 hours with FTM 2017 and Ancestry. Ancestry says now it is their issue, though the response is VERY slow.
As you note (and I will repeat this to all of your many comments here), “Ancestry says now it is their issue.”
Ancestry is trying VERY hard to downplay this breach. Calling this “minor” compared to Equifax is ridiculous. Anyone who has used the online services knows that Ancestry and RootsWeb have hundreds of gigabytes of research from millions genealogists. The CISO’s blog says “username and password combinations” – no mention of password hashes. Don’t try to BS us. Just admit what happened and fix your systems. Lying or misleading us will only make you lose creditability, which could kill your AncestryDNA services.
“Anyone who has used the online services knows that Ancestry and RootsWeb have hundreds of gigabytes of research from millions genealogists.” And anyone who thinks this is as serious as Equifax must not do any online banking… Take my genealogy research anyday, but leave my banking data alone!
It’s definitely not as big at the Equifax breach but this definitely cannot be described as a minor breach. No data breach that contains hundreds of thousands of username/password combinations in plain text can be considered minor. This is a major deal and Ancestry is not treating it as such.
Oh! it is minor. Their Ancestry internal staff have no idea what kind of systems issues their front people or automation systems unit are expected to overcome or ignore – no information shared perhaps time of day. They have no plan of attack on what they don’t perceive or visually conjure. One manager tried to help me with his assistant I only talked with, she and I mostly on hold for over 2 hours till the fix was done. Please rate us at the end of this call? How do I know if anything was done, much less fixed until tried? That didn’t go over well though friendly.
As you note (and I will repeat this to all of your many comments here), “Ancestry says now it is their issue.”
I predict Rootsweb will never, that is never, come back online as a competitive website to Ancestry.com. This is nothing but a ploy by Ancestry to get rid of the Free Rootsweb site. The real reason Ancestry bought Rootsweb out in the first place.
I agree with James – seeing that it is still not back up! That was my exact feeling as soon as I saw that this started in December and they still did not have a fix as of Feb 17th. It held our local cemetery listing and maps, so no longer going to be able to do photo requests at F.A.G. 🙁
Some parts are already back online, others that weren’t supposed to be affected are offline, so at this point, it’s anybody’s guess. In the meantime, use the Wayback Machine to access the info you need.
Most of us already see what many of you like you and James see, which is obvious. To downplay this is not the right way to look at it… and we still do not have tangible estimates on access to data. Keep up the press on Ancestry and it will definitely help to get them to understand it’s not any old legacy genealogy site.
If it makes you feel better to think that posting a comment here is putting pressure on Ancestry, well… good luck with that.