Hackers Expose Ancestry.com Security Hole
UPDATE: This story has been updated with a response from Ancestry.com
A security bug may exist on Ancestry.com that could leave the personal information of its registered users exposed and vulnerable to theft.
TeamHav0k, a network of "gray hat" hackers, found an SQL injection vulnerability in the genealogy-tracing website. To prove its point, the group copied the contents of a database belonging to the geneaological website and posted it online.
In a Pastebin post, the TeamHav0k hackers preface the leak with a note (full of spelling errors) explaining that their exploit was not meant to do any damage to Ancestry.com's registered users, but simply to highlight what the hackers believe is a major flaw for a high-profile site to have.
"A site like this should be more protected, considering the kind of information they have on people, just imagine if NATO, UN, FBI, CIA etc .. officials use this site to look back in time to see who all is in their family tree."
"This release is not meant to harm anyone, it's simply just to prove 'Security Is An Illusion,'" the group said.
As a public service, TeamHav0k wrote, "People need to understand the seriousness of little coding errors that lead to this sort of thing, they need to patch their systems the second a new updated version comes out to protect their assets and clients."
In an email to SecurityNewsDaily, Ancestry.com's director of corporate communications, Heather Erickson, said the vulnerability exposed by TeamHav0k "is on the company's corporate website, which is a separate website housed by a third party vendor and is not connected to any Ancestry.com customer financial or personal tree information."
SecurityNewsDaily opened the leaked database contents, which amounted to only 35 kilobytes. No actual user information was included; rather, the data seemed to be mostly front-end forms that a member would use to fill in family information when first signing up with Ancestry.com. There really wasn't much for identity thieves to work with.
The largest file in the database dump consisted of content to populate a "latest news" page on the Ancestry.com site. It dated from July 2010.
It's possible TeamHav0k has access to data deeper into the Ancestry.com site, but if this is as far as they got, then it's the equivalent of trying to break into a house and never getting past the entrance hall.