Ancestry.com has confirmed a breach of their decommissioned RootsWeb service.
Security researcher Troy Hunt (@TroyHunt), who I have considerable respect for, discovered the breach and informed Ancestry. He has further commented that the company has handled this breach in exemplary fashion.
The breach involves an exposed file containing usernames, passwords and email addresses of 300,000 users of the RootsWeb service.
Ancestry says it has notified any impacted user, so if you ever used RootsWeb, you should have heard from Ancestry by now. That said, I believe it would be prudent to change your password on any Ancestry.com service that you use, whether or not you have been notified of a risk. Yes, this is abundantly cautious, but a reasonable step to take.
It’s encouraging to see the company respond well and aggressively to this breach. Other organizations will learn from how Ancestry has handled this.
The incident is still being investigated. It is not thought to be more widespread than what has been confirmed to date. Should I learn anything to the contrary, I will post an update.