Attempted breach of 8,543 email addresses from Legacy Family Tree Webinars
July 25, 2018
The Legacy Family Tree Webinar website (https://familytreewebinars.com) is home to genealogy-themed webinars, some of which are free and available to the public and some of which are available only to subscribers.
Yesterday, July 24 2018, we detected an attempt to hack the website and stopped it in its tracks. Due to the architecture of the website, very little was compromised. The website doesn’t store any personal information other than email addresses. All other information about webinar subscribers including names, passwords and credit card information, is stored separately on a secure 3rd party e-commerce service, and it is safe. The hacker was attempting to pull one email address at a time, from a database table that stores which webinars were viewed by which registered users. We caught this and stopped the attack while it was occurring. That table contains 8,543 email addresses - a very small percentage of the overall user base of Legacy - so some of these 8,543 addresses have been exposed to the hacker (but nothing else). Once we spotted the attack we immediately took the website offline. We fixed the vulnerability that allowed the attack and brought the website back online in 24 hours. We will be emailing all 8,543 potentially affected users today to notify them about the incident.
The 8,543 potentially affected webinar users come mostly from the USA, Canada and Australia. People who viewed webinars anonymously without signing up or logging in were not affected. People using the Legacy Family Tree software (but not the webinars) were not affected. For the affected users, there is no need to change passwords because the passwords are stored elsewhere and are safe. There is no need to take any action, but please continue to exercise caution in all your online activities, because there are bad people out there. The website doesn’t store family trees or any other sensitive personal data. The website operates on a cloud environment that is completely isolated from any other services.
As data breaches go, this one is very minor. Fortunately, this incident did not affect sensitive personal data. Nonetheless, we apologize for any inconvenience. In the next few days we will make a change in the website so that it will cease to store even email addresses (account IDs will be used instead of email addresses to store webinar viewership history) and there will be no personal information to take from it. Long live genealogy!
Users who have questions or concerns about the breach are welcome to contact our Support team at [email protected]
You can follow this conversation by subscribing to the comment feed for this post.