RockYou Hacker: RockYou Not the Only Site With Plain Text Login Info

Two days ago, we talked about a massive security breach at social networking application developer RockYou. Through a SQL injection attack,  a hacker was able to access more than 32 million user passwords from the company. Worst of all, the passwords were stored in plain text, meaning there was no encryption protecting someone from simply sharing the usernames and passwords with the world. Luckily for users, the hacker had his White Hat on, posting to his blog that he wouldn’t share the information unless the website refused to acknowledge their security lapse.

Since then, RockYou has accepted responsibility for the security breach in an official statement.

Our users’ privacy and data security have always been a priority for RockYou and we strive to keep them secure. Our users have confidence in our services and we will continue to ensure that confidence is deserved.

As we previously explained, one or more individuals illegally breached one of our databases that contained the usernames and passwords for about 32 million users in an unencrypted format. It also included these users’ email addresses. This database had been kept on a legacy platform dedicated exclusively to RockYou.com widgets. After learning of the breach, we immediately shut the platform down to prevent further breaches.

Importantly, RockYou does not collect user financial information associated with RockYou.com widgets. In addition, user information for users of RockYou applications on partner sites, including Facebook, MySpace, Hi5, Friendster, Bebo, Orkut, Mixi, Cyworld, etc., were not implicated by the breach. The platform breach also did not impact any advertiser or publisher information, which we maintain on a separate and secure system that is not a legacy platform. Lastly, the security breach did not affect our advertising platform or our social network applications.

However, because the platform breached contained user email addresses and passwords, we recommend that our RockYou.com users change their passwords for their email and other online accounts if they use the same email accounts and passwords for multiple online services. Changing passwords may prevent anyone from gaining unauthorized access to our users’ other online accounts. We are separately communicating with our users so that they take this step and are informed of the facts.

While it is easy to heap blame on RockYou (they are definitely at fault in this situation), they are not the only company who keeps user password information in the clear. Yesterday in an interview with ReadWriteWeb, the RockYou hacker, whom they called “Tom,” explained that this isn’t the first time he’s accessed sensitive user information without any encryption.

Tom says that one out of every three sites he’s gained access to store user data in plain text databases. “Server owners can use third-party sites for authentications, like Facebook, Google, OpenID or OAuth.” he said. “Why the [redacted] would they want user passwords? I don’t understand that.”

Tom also noted that there’s really no need for websites to keep that information and shared a chilling scenario of what might happen with a less ethical hacker.

“If you don’t store passwords for accounts, if somebody hacks you, what can he do? Deface your site. The end,” said Tom.

“That’s nothing against 32 million emails with passwords. Count how many of them have PayPal. If I check every one, and only 10 percent of them have it, and I take only $10, it’s a pretty nice amount, don’t you think?”

The hacker makes an excellent point with this object lesson, and he clearly holds RockYou and its ilk squarely at fault.

Tom, who says he’s employed in a good security-related job, believes there should be laws requiring companies to encrypt user data. He said, “They are now hunting for me, but why? I didn’t do anything wrong. They should now be in jail because they put all of these people at risk. This was just for illustration.”

The fact that RockYou was hacked so easily should send up warning flags for consumers. While I don’t promote hacking, I have to admit that Tom has a point. Companies should be able to show common sense about encrypting sensitive information. If they can’t, perhaps government regulation is necessary to protect users.