Wednesday, December 27, 2017

Security Breach at RootsWeb

There has been a security breach on RootsWeb, which is now owned by Ancestry. You can read more about it in this blog post. A security researcher notified Ancestry that he found a plain-text file containing 300,000 username/email address/password combinations. In response, Ancestry "analyzed" the file and found that 55,000 individuals used the same username/password combinations on both RootsWeb and Ancestry and are notifying those individuals. They are not notifying anyone who did not use the same credentials on both sites.


As an Information Security Engineer, this breach and this response is completely unacceptable. First, end user credentials, especially passwords, should NEVER be stored in plain-text format at all, much less on an Internet-accessible server. Anyone with an ounce of knowledge of information security would have told them this. Then they say the information in the file is quite old. How old? They don't say. This makes it even worse. They have no idea, or at least they're not sharing, how long this file has been accessible. This could have been out there for days, weeks, months, years, even decades! How many malicious actors could have gotten a hold of this information?

I'm sure some of you are saying "Who cares? It's just RootsWeb! It's a free service. It's not a big deal!"

It is a truly big deal. In addition to the fact that the information was out there at all, they are only notifying a small subset of people whose credentials were compromised. What about the thousands of people who don't have Ancestry accounts at all and that use the same usernames/passwords at other sites, including potentially online banking? Yes, it is an extremely bad idea to reuse passwords at multiple sites, especially anything that contains confidential information. Still, Ancestry has no idea if others might be doing this. They should be notifying everyone about this breach so those that do reuse passwords can change them.

In fact, thinking about this, this could have been how my Yahoo email account was hacked several years ago. Yes, I reused one password on both my RootsWeb account and my Yahoo email account. It was a very complex password and one that would have been virtually impossible to guess, yet someone still made it into my mailbox and started sending spam as me. Could this file of passwords really have been used that long ago? I believe it's possible.

Now, they have taken RootsWeb down completely. They estimate it will be inaccessible for "a few weeks". That is ridiculous. Anyone with an ounce of tech-savvy would have the site back up in a couple of days at worst. Possibly not at its full potential but it would be available. This tells me that Ancestry puts very little stock in their Information Technology and Information Security. In addition, they say "we may not be able to salvage everything". It is my sad belief that Ancestry will be using this as the first step in taking down RootsWeb.

I said it at the time that Ancestry purchased RootsWeb and when they purchased Find-A-Grave. Nothing good can come from this. Ancestry is a for-profit company. Both of these sites were free. I believe that Ancestry will end up charging for these or pulling their content behind their pay-wall. This is bad for genealogy. I'm beginning to think about where I can share a simple version of my family tree online, which is the only thing I use RootsWeb for at this time. If you have any suggestions, please let me know.

Okay. Time to step off of my soap-box. If you use the same password at other sites that you use at RootsWeb, change them now. Please don't use the same passwords at multiple sites. Please make them complex and store them in a secure offline location, such as a locked desk drawer.

--Matt

1 comment:

  1. Ancestry has apparently brought the World Connect family tree and the message boards features back online in a read-only format although the personal pages are still not available at this time.

    ReplyDelete