RockYou hack exposes names, passwords of 30M accounts
SQL injection flaw blamed for intrusion at social networking app vendor
Computerworld - Hackers breached a database at social networking application maker RockYou Inc. and accessed username and password information on more than 30 million individuals with accounts at the company.
The passwords and user names were stored in clear text on the compromised database and the user names were by default the same as the users Gmail, Yahoo, Hotmail or other Web mail account.
RockYou did not immediately respond to a request for comment on the incident. In a statement sent to Tech Crunch, which first reported the breach, RockYou confirmed that a user database had been compromised that potentially exposed some "personal identification data" for about 30 million registered users. The company learned of the breach Dec. 4 and promptly shut down the site while the problem was addressed, the statement said.
Redwood City, Calif.-based RockYou offers widgets that are used widely on social networking sites such as Facebook, MySpace, Friendster and Orkut. The company bills itself as a leading provider of social networking application-based advertising services with more than 130 million unique users using its applications monthly.
The breach was discovered shortly after database security vendor Imperva Inc. informed RockYou of a major SQL injection error it had uncovered on a page on RockYou's Web site.
Amichai Shulman, Imperva's chief technology officer, said the company learned of the vulnerability on RockYou's Web site - and the fact that it was being actively exploited - as part of its regular monitoring of underground chat rooms.
Shulman said Imperva informed RockYou of the SQL flaw and that it allowed hackers to access the entire contents of RockYou's user database. RockYou did not respond to Imperva, nor did it appear to immediately take down its site as it claimed in its statement to Tech Crunch, Shulman said. The flaw was present for a day or more after Imperva informed RockYou of the issue before it was addressed he said.
In the meantime, a hacker had accessed the entire database and posted samples of the data on his Web site. The hacker claimed to have accessed 32,603,388 accounts complete with plain text passwords. "Don't lie to your customers, or i will publish everything," the hacker wrote in an apparent admonition to RockYou.
The incident is another example of how, many companies continue to remain exposed to SQL injection flaws, Shulman said.
In SQL injection attacks, hackers take advantage of poorly coded Web application software to introduce malicious code into a company's systems and network. The vulnerability exists when a Web application fails to properly filter or validate the data a user might enter on a Web page -- such as when ordering something online. An attacker can take advantage of this input validation error to send a malformed SQL query to the underlying database to break into it, plant malicious code or access other systems on the network. SQL injection flaws have consistently been among the top Web application security problems for the past several years.
What is especially troubling about this incident is that RockYou stored its password data in plain text form instead of hashing it, a common security practice, Shulman said. Hackers could use the data to compromise the Web mail accounts of the affected users and then use that access to compromise other accounts, Shulman warned.
Since the data that was breached did not include financially sensitive data or Social Security numbers there's a strong possibility that those responsible for the hack were not financially motivated, said Gretchen Hellman, vice president of security solutions at Vormetric, a vendor of database security products. Rather, the hack appears to be an attempt to highlight some of the privacy pitfalls of social networking, she added.
Jaikumar Vijayan covers data security and privacy issues, financial services security and e-voting for Computerworld. Follow Jaikumar on Twitter @jaivijayan, send e-mail at firstname.lastname@example.org or subscribe to Jaikumar's RSS feed .
Read more about Security in Computerworld's Security Topic Center.
- 15 Non-Certified IT Skills Growing in Demand
- How 19 Tech Titans Target Healthcare
- Twitter Suffering From Growing Pains (and Facebook Comparisons)
- Agile Comes to Data Integration
- Slideshow: 7 security mistakes people make with their mobile device
- iOS vs. Android: Which is more secure?
- 11 sure signs you've been hacked
- The 12 PCI DSS 3.0 requirements addressed by Peer 1 Hosting This handy quick reference outlines the 12 PCI DSS 3.0 requirements, who needs to be compliant and how Alert Logic solutions address the...
- Defense Throughout the Vulnerability Life Cycle This whitepaper provides insight into how to leverage threat and log management technologies to protect your IT assets throughout their vulnerability life cycle.
- Mobile Policy Checklist Here's what to consider when putting together a mobile policy designed to support a highly productive workforce.
- Securing BYOD Mobile computing is becoming so ubiquitous that people no longer bat an eye seeing someone working two devices simultaneously. Individuals and organizations are...
- Live Webcast On-demand webinar: "Mobility Mayhem: Balancing BYOD with Enterprise Security" Check out this on-demand webinar to hear Sophos senior security expert John Shier deep dive into how BYOD impacts your enterprise security strategy...
- Live Webcast Endpoint Backup & Restore: Protect Everyone, Everywhere Arek Sokol from the bleeding-edge IT team at Genentech/Roche explains how he leverages cross-platform enterprise endpoint backup in the public cloud as part...
- Streamline Software Asset Management, Compose a software Management Symphony Keeping track of your organization's software is easy with effective software management solutions from CDW. View the videos in our software solutions channel
- Druva inSync: Endpoint Data Protection & Governance CLICK HERE to watch this video about protecting corporate data on laptops and mobile devices, sponsored by Druva. All Security White Papers | Webcasts