Modernizing Authentication — What It Takes to Transform Secure Access
On Dec. 16, Indiana resident Alan Claridge received an e-mail from RockYou, a developer of widgets and applications designed for social networking sites, such as Facebook and MySpace, warning him that his personal information -- along with some 32 million other users -- may have been hacked because the company failed to properly secure a key customer database.
Claridge responded to the security breach -- which RockYou discovered itself just a couple weeks before sending out the foreboding e-mailby filing a class action lawsuit (available here in PDF format) on the behalf of himself and more than 32 million other people who either have or will soon be receiving the bad news in their inbox.
Michael Aschenbrener, the lead attorney for KamberEdelson LLC, the law firm handling the suit, claims that RockYou inexplicably failed to encrypt a database containing customers' e-mail accounts, passwords, and login credentials for a variety of social networking sites. Instead, the lawsuit contends, RockYou kept all this critical data stored in plaintext files that were easily accessed by hackers for an unknown period of time.
"The alleged data breach was by no means unforeseeable," Aschenbrener said in a statement. "The means of the attack has been well-documented for some time, as has the means to prevent it."https://o1.qnsr.com/log/p.gif?;n=203;c=204634421;s=15939;x=7936;f=201702151714490;u=j;z=TIMESTAMP;a=20304455;e=i
"RockYou allegedly did nothing to prevent the attack or safeguard its customers' sensitive personal information," he added. "How any company in possession of this much data could do nothing to secure it not only violates the law, but also basic common sense."
The lawsuit, which was filed in the U.S. District Court in San Francisco, contains nine counts including negligence, breach of contract, violation of California's Computer Crime Law and California's Security Breach Information Act. The suit demands that RockYou protects customer data, and also seeks "unspecified damages."
In an apologetic explanation posted on its Web site, RockYou officials said it immediately shut down the legacy platform dedicated to RockYou.com widgets as soon as the breach was discovered.
"However, because the platform breached contained user e-mail addresses and passwords, we recommend that our RockYou.com users change their passwords for their e-mail and other online accounts if they use the same e-mail accounts and passwords for multiple online services," RockYou said. "Changing passwords may prevent anyone from gaining unauthorized access to our users' other online accounts. We are separately communicating with our users so that they take this step and are informed of the facts."
RockYou officials said it does not collect users' financial information used to buy popular social networking applications such as "Pieces of Flair" and "SuperWall."
The company added that the breach did not impact any advertiser or publisher information nor user information for people downloading RockYou applications on its partner sites including Facebook, MySpace, Hi5, Friendster, Bebo, Orkut, Mixi, and Cyworld.
"We are sorry for the inconvenience this illegal intrusion onto the RockYou system has caused our users," RockYou said in the posting. "We will continue to advise our users of any information that would help them."
Hackers have feasted on social networking sites for years and security software vendors predict the worst is yet to come as Facebook and Twitter become more popular and more populated by myriad third-party applications.
"Unfortunately, this represents another in a long line of data loss disasters and cloud computing catastrophes in 2009," Aschenbrener said. "For everyones sake, let's hope companies resolve to protect their customer data in 2010."
While it may be far too little and way too late for millions of social networking fanatics, RockYou says it is now encrypting all passwords, will upgrade the legacy platform with improved infrastructure and security protocols and review all of its current data security features to ensure "that they meet industry standards and best practices."
Larry Barrett is a senior editor at InternetNews.com. Based in Las Vegas, Larry covers IT management, enterprise software, services and security.