San Francisco — RockYou, the popular provider of third-party widgets and applications for Facebook, MySpace and other social-networking services, is being slammed with a class-action alleging the company of employing such poor data security that enabled at least one hacker to gain access to 32 million e-mails and their passwords.
An Indiana man, the lawsuit’s lead plaintiff, says that RockYou compounded the security breach with a slow and ineffective response. The suit seeking class action status was registered last week in the U.S. District Court in San Francisco by lawyers for Alan Claridge, of Evansville, Ind., who registered with RockYou in August 2008 to use a photo-sharing application.
RockYou is a creator and provider of online apps and services like “SuperWall” on Facebook and “Slideshow” on MySpace.
(Credit: RockYou)
Claridge said he received an e-mail from RockYou on December 16, intimating him that his classified, confidential information, including e-mail address and password, may have been compromised in a security breach, because of RockYou’s inability to create a secure user database. But Claridge alleges that RockYou was aware of the security breach up to 12 days earlier — on December 4 — but did nothing to warn users, according to the suit.
The event — one of 2009’s top data devastations — went unacknowledged by RockYou for almost two weeks.
The complaint, filed in federal court in San Francisco, says that RockYou kept sensitive user information in an unencrypted “plain text” file — making it incredibly easy to hack.
“RockYou failed to apply hashing, salting or any other reasonably sound method of data protection and therefore drastically exacerbated the consequences of a hacker bypassing its outer layer of web security,” according to the complaint.
Security firm Imperva alerted RockYou on December 4 that it had discovered a breach of RockYou’s network from underground hacker forums. RockYou had been smashed with a common type of exploit known as a SQL injection flaw that targets information stored in databases and hackers were regularly discussing the fact that the hole at RockYou was being exploited, the lawsuit said.
The alleged SQL injection dangers are among the top online security defects. Hackers, for example, took advantage of such defects to steal some 130 million credit card numbers from databases of Hannaford Brothers, 7-Eleven and Heartland Payment Systems in 2007 and 2008.
Michael Aschenbrener, the lead attorney for KamberEdelson LLC, the law firm administrating the suit, claims that RockYou inexplicably failed to encrypt a database containing customers’ e-mail accounts, passwords, and login credentials for a variety of social networking sites. Instead, the lawsuit contends, RockYou kept all this critical data stored in plaintext files that were easily accessed by hackers for an unknown period of time.
Redwood City, California-based RockYou admits the data was “breached.” RockYou’s website now sports a red-and-white banner reading “Important Security Notice from RockYou.” A lengthy statement says that the company is “investigating the data breach, reviewing our security protocols, and implementing new practices to prevent this from happening again.”
Wendy Zaas, a company spokeswoman, said in an e-mail that RockYou “plans to defend itself vigorously. The company takes its users’ privacy seriously.”
The company’s privacy policy said it “makes commercially reasonable efforts to ensure the security of our system,” yet its user database was stored in plain text, according to the lawsuit.
In a telephone interview, Zaas declined to address the merits of the allegations in the lawsuit.
Meanwhile, RockYou recommends that users alter their e-mail passwords to prevent hackers from viewing any sensitive information. There is also less obvious danger caused by the breach: since many consumers use the same password for multiple accounts, those accounts may also be susceptible to breach. Thus, consumers should update any account for which they use the same — or even a similar — password.
The company said it was working with the government to investigate the illegal breach, and has begun encrypting passwords and “reviewing our current data security features.”
The plaintiffs are seeking a court order requiring RockYou to increase its security, as well as unspecified damages.