If you’ve ever installed a widget or application on your Facebook or MySpace profile from a company called RockYou (formerly called RockMySpace), you should change the password to your e-mail and social networking accounts immediately. According to TechCrunch, RockYou was hacked recently, compromising over 32 million passwords that were stored in the system.
This hack is especially frightening for users who don’t use separate passwords for all of their accounts (which is something we strongly advise) because RockYou stored the passwords in plain text, meaning, if the information got out, it would require no additional decoding to access.
RockYou offered their official statement on the incident in a response to the TechCrunch article.
On December 4, RockYou’s IT team was alerted that the user database on RockYou.com had been compromised, potentially revealing some personal identification data for approximately 30M registered users on RockYou.com. RockYou immediately brought down the site and kept it down until a security patch was in place. RockYou confirms that no application accounts on Facebook were impacted by this hack and that most of the accounts affected were for earlier applications (including slideshow, glitter text, fun notes) that are no longer formally supported by the company. RockYou has secured the site and is in the process of informing all registered users that the hack took place.
So how did the attack occur in the first place. Jack Schofield of the Guardian explains.
Imperva, which was first to announce the attack, says the site was hacked using an SQL Injection attack, which is a very popular technique. Basically it means inserting commands written in the SQL database query language into web site queries. This works with sites that use SQL databases to dynamically create pages for specific users. An example would be creating a display showing a number of products on a shopping site.
While the hacker who accessed the information has opted not to share the information, he claims in a blog post that he will “publish everything” if RockYou doesn’t come clean about to its users about its lax security.
Clearly, RockYou is in the wrong for allowing their defenses to be so easily breached, and, more importantly, for leaving their passwords in the clear. Unfortunately, to say this is a one-time mistake by one company is a lie. Many companies don’t take the extra steps needed to protect themselves and their customers from attack. Sadly, the next time something like this happens, there’s no guarantee that the passwords won’t be repackaged and sold to the highest bidder.
3 comments ↓
[...] networking application developer RockYou. Through a SQL injection attack, a hacker was able to access more than 32 million user passwords from the company. Worst of all, the passwords were stored in plain text, meaning there was no [...]
[...] the first company to announce last month’s hack of social networking applications developer RockYou, has completed an analysis of the more than 32 million passwords that were exposed. In their [...]
[...] the first company to announce last month’s hack of social networking applications developer RockYou, has completed an analysis of the more than 32 million passwords that were exposed. In their [...]
Leave a Comment