RockYou hack exposes names, passwords of 30M accounts
SQL injection flaw blamed for intrusion at social networking app vendor
Computerworld - Hackers breached a database at social networking application maker RockYou Inc. and accessed username and password information on more than 30 million individuals with accounts at the company.
The passwords and user names were stored in clear text on the compromised database and the user names were by default the same as the users Gmail, Yahoo, Hotmail or other Web mail account.
RockYou did not immediately respond to a request for comment on the incident. In a statement sent to Tech Crunch, which first reported the breach, RockYou confirmed that a user database had been compromised that potentially exposed some "personal identification data" for about 30 million registered users. The company learned of the breach Dec. 4 and promptly shut down the site while the problem was addressed, the statement said.
Redwood City, Calif.-based RockYou offers widgets that are used widely on social networking sites such as Facebook, MySpace, Friendster and Orkut. The company bills itself as a leading provider of social networking application-based advertising services with more than 130 million unique users using its applications monthly.
The breach was discovered shortly after database security vendor Imperva Inc. informed RockYou of a major SQL injection error it had uncovered on a page on RockYou's Web site.
Amichai Shulman, Imperva's chief technology officer, said the company learned of the vulnerability on RockYou's Web site - and the fact that it was being actively exploited - as part of its regular monitoring of underground chat rooms.
Shulman said Imperva informed RockYou of the SQL flaw and that it allowed hackers to access the entire contents of RockYou's user database. RockYou did not respond to Imperva, nor did it appear to immediately take down its site as it claimed in its statement to Tech Crunch, Shulman said. The flaw was present for a day or more after Imperva informed RockYou of the issue before it was addressed he said.
In the meantime, a hacker had accessed the entire database and posted samples of the data on his Web site. The hacker claimed to have accessed 32,603,388 accounts complete with plain text passwords. "Don't lie to your customers, or i will publish everything," the hacker wrote in an apparent admonition to RockYou.
The incident is another example of how, many companies continue to remain exposed to SQL injection flaws, Shulman said.
In SQL injection attacks, hackers take advantage of poorly coded Web application software to introduce malicious code into a company's systems and network. The vulnerability exists when a Web application fails to properly filter or validate the data a user might enter on a Web page -- such as when ordering something online. An attacker can take advantage of this input validation error to send a malformed SQL query to the underlying database to break into it, plant malicious code or access other systems on the network. SQL injection flaws have consistently been among the top Web application security problems for the past several years.
What is especially troubling about this incident is that RockYou stored its password data in plain text form instead of hashing it, a common security practice, Shulman said. Hackers could use the data to compromise the Web mail accounts of the affected users and then use that access to compromise other accounts, Shulman warned.
Since the data that was breached did not include financially sensitive data or Social Security numbers there's a strong possibility that those responsible for the hack were not financially motivated, said Gretchen Hellman, vice president of security solutions at Vormetric, a vendor of database security products. Rather, the hack appears to be an attempt to highlight some of the privacy pitfalls of social networking, she added.
Jaikumar Vijayan covers data security and privacy issues, financial services security and e-voting for Computerworld. Follow Jaikumar on Twitter @jaivijayan, send e-mail at email@example.com or subscribe to Jaikumar's RSS feed .
Read more about Security in Computerworld's Security Topic Center.
- Mobile First: Securing Information Sprawl Learn how the partnership between Box and MobileIron can help you execute a "mobile first" strategy that manages and secures both mobile apps...
- Cybersecurity Imperatives: Reinvent your Network Security The Rise of CyberSecurity
- Surescripts Case Study- Securing Keys and Certificates Surescripts implemented Venafi's Trust Protection Platform™ to secure digital keys and certificates, ensure the privacy and confidentiality of electronic clinical information for its...
- Ponemon 2014 SSH Security Vulnerability Report According to research by the Ponemon Institute, 3 out of 4 enterprises have no security controls in place for SSH which leaves organizations...
- Responding to New SSL Cybersecurity Threat The featured Gartner research examines current strategies to address new SSL cybersecurity threats and vulnerabilities.
- Deep Dive into Advanced Networking and Security with Hybrid Cloud Security and networking are among the top concerns when moving workloads to the cloud. VMware vCloud® Hybrid Service™ enables you to extend your... All Security White Papers | Webcasts
Our new bimonthly Internet of Things newsletter helps you keep pace with the rapidly evolving technologies, trends and developments related to the IoT. Subscribe now and stay up to date!