RockYou, one of the fastest growing tech companies ever [according to the RockYou website], which creates highly viral application-based advertising for Facebook, MySpace and other major social networks, was hacked [via an SQL injection flaw] in early December 2009, and in the process 32 million passwords and email addresses were stolen.
While much attention is being paid to the password choices of the 32 million users [I’ll have a post looking into that aspect soon], I found this paragraph most disturbing via RockYou’s security bulletin:
As we previously explained, one or more individuals illegally breached one of our databases that contained the usernames and passwords for about 32 million users in an unencrypted format. It also included these users’ email addresses. This database had been kept on a legacy platform dedicated exclusively to RockYou.com widgets. After learning of the breach, we immediately shut the platform down to prevent further breaches.
It is distressing that a company with an internet facing business did not deem it necessary [or prudent apparently] to encrypt it’s 32 million user’s email addresses and passwords. And while RockYou has, as a result of this security breach, decided to take the following steps:
1. We are encrypting all passwords;
2. We are upgrading the legacy platform with the same infrastructure and industry standard security protocols we employ on our partner applications platforms;
3. We are reviewing our current data security features and ensuring that they meet industry standards and best practices; and
4. We are cooperating with Federal authorities to investigate the illegal breach of our database.
I don’t think they really “get” the failure here.
We are sorry for the inconvenience this illegal intrusion onto the RockYou system has caused our users. We will continue to advise our users of any information that would help them.
Yes, the intrusion was illegal, but if RockYou had encrypted the password database in the first place, or better yet utilized secure digital data hashes instead of storing actual passwords, the [illegal] breach would have not been nearly of the magnitude that it is. Note that the 32 million passwords were not obtained by 32 million brute force attack attempts [weak passwords notwithstanding]. They were obtained through a well documented exploit into a company that didn’t practice prudent data protection policies.