300,000 Users Exposed In Ancestry.com Data Leak (threatpost.com) 43
Dangerous_Minds shares a report from ThreatPost: Ancestry.com said it closed portions of its community-driven genealogy site RootsWeb as it investigated a leaky server that exposed 300,000 passwords, email addresses and usernames to the public internet. In a statement issued over the weekend, Chief Information Security Officer of Ancestry.com Tony Blackham said a file containing the user data was publicly exposed on a RootsWeb server. On Wednesday, Ancestry.com told Threatpost it believed the data was exposed on November 2015. The data resided on RootsWeb's infrastructure, and is not linked to Ancestry.com's site and services. Ancestry.com said RootsWeb has "millions" of members who use the site to share family trees, post user-contributed databases and host thousands of messaging boards. The company said RootsWeb doesn't host sensitive information such as credit card data or social security numbers. It added, there are no indications data exposed to the public internet has been accessed by a malicious third party. The company declined to specify how and why the data was stored insecurely on the server. "Approximately 55,000 of these were used both on RootsWeb and one of the Ancestry sites, and the vast majority of those were from free trial or currently unused accounts. Additionally, we found that about 7,000 of those password and email address combinations matched credentials for active Ancestry customers," Blackham wrote.
November 2015 (Score:2)
Re: (Score:2)
Because transparency.
Re: November 2015 (Score:2)
Re: (Score:2)
This is my surprised look on my face that you have a surprised look on your face. lol
Re: (Score:2)
Re: (Score:2)
True. I keep looking at haveibeenpwned to see if I'm alive.
My "MySpace" account cot hacked.
Bastards.
Re: (Score:2)
When you were taught logical fallacies, I think you may have been mistaken in imagining that they were good things.
Re: (Score:1)
Ancestry.com is owned by Permira, a European private equity firm that bought the company several years ago. Due to its location there are obviously many members of the LDS church who work there, just as there would be many Catholics and Baptists working for just about any large corporation located in most parts of Texas. There are also many people of other faiths or no religious affiliation at all that work at the company. And none of this has anything to do with the fact that the original post was just som
Re: (Score:1)
Yes, but as stated in the summary, 55,000 of the leaked rootsweb credentials had matching credentials on the ancestry part, and 7000 of those are actively-used current accounts. Probably at least a portion of the 55,000 use or have used the DNA part of ancestry. DNA has been all the rage at genealogy shows and conferences the past few years.
I was thinking the same thing! (Score:3)
Why would anyone design a system that actually stores the password? You hash the password, destroy the password, then move on.
Maybe it is too hard to write a hash because there are none available in libraries.....oh ....never mind.
Mother's maiden name? (Score:4, Interesting)
The company said RootsWeb doesn't host sensitive information such as credit card data or social security numbers.
Yeah, nothing sensitive and unchangeable such as a giant database of everyone's mother's maiden name, which is never ever used to "protect" access to credit card data.
Not the first time they leaked (Score:4, Informative)
I signed up ages ago with a unique email address in 2007 only used to sign up for their service with all partner offers and marketing choices if there were any set to no. Format of user-randomstring@domain.com
I started getting spam to their unique tag years ago so they lost data before. I may have kept a sample of the first spam but I think it was in 2008-2009 timeframe.
Its just their DNA (Score:1)
I'm sure they can easily change that.
Re: (Score:1)
But there were 55,000 credentials shared between the rootsweb component and the main ancestry component. Likely some of those have used the DNA service. For some reason it is pretty popular these days. For ONLY $99 bucks or so you can find out what you already knew: that you are predominantly of western european descent with a small fraction of ancestors from other areas mixed in, for example. And thus your DNA enters the commercial sector, which is largely unregulated, and when they don't keep the data sec
Re: (Score:1)
Ancestry.com is owned by Permira, a European private equity firm that bought the company several years ago. Due to its location there are obviously many members of the LDS church who work there, just as there would be many Catholics and Baptists working for just about any large corporation located in most parts of Texas. There are also many people of other faiths or no religious affiliation at all that work at the company. And none of this has anything to do with the fact that the original post was just som
Now I know who to kill for my liver transplant ! (Score:2)
Mwa-ha-ha-haaaa !
Just kidding (for now) . . .
It is inevitable that genetic databases will be used by desperate rich people needing transplants.
I was thinking about sending in my sample anonymously . . . ;(
Then, I realized that I would be easily identified from my family who had sent in samples
Re: (Score:2)
Mwa-ha-ha-haaaa ! Just kidding (for now) . . . It is inevitable that genetic databases will be used by desperate rich people needing transplants.
I was thinking about sending in my sample anonymously . . . Then, I realized that I would be easily identified from my family who had sent in samples ;(
Don't forget law enforcement. Even if they couldn't use DNA evidence directly, if a match comes up, you can use parallel construction so you know exactly who you want to go after. They would love as many DNA samples as they can get.
Re: (Score:2)
There's that, plus the ability to pin a crime on anyone in a (half-decent) DNA database. Why? Because scientists are getting really good at creating DNA (and what have you) from recipes (electronic encoded information).
Just throw some DNA in the CRISPR, wait a day or two, and you have DNA evidence!
Re: (Score:2)
The other issue is that of low and mid ranking DoJ doing DNA work and the resulting random US wide federal database results.
Say a person did something bad in the 1970's. DNA is fully recovered from a stamp, letter related to the crime in 2017.
Put the new results of advance DNA recovery into some federal database and see if anyone related is in the US federal criminal/mil/federal DNA system.
Get some new names and start s
Re: (Score:2)
Dont want to go into local small town courts, gov, look at paper records in fly over country? Mentioning names and looking for records? That town worker might gossip about the DoJ asking for paperwork on well respected locals.
Do it digitally and get the DNA needed from one person near the suspect. No need to drive and fly out too many times to get records and risk questions by locals.
Just one time to g
Re: (Score:1)
Once DNA tests are mobile enough to be done on-site in a few minutes, there may be very few types of crimes (even minor infractions) that law enforcement won't see fit to use DNA to "solve."
Does Ancestery sell data to health insurers? (Score:2)