RockYou settles FTC charges related to 2009 breach

Online gaming firm will pay $250,000, submit to independent audits for 20 years after exposing data on 30 million users

RockYou will submit to third-party security audits for the next 20 years as part of a settlement of charges filed by the U.S. Federal Trade Commission in connection with a Dec. 2009 data breach that exposed email addresses and passwords of more than 30 million people.

As part of the settlement announced Tuesday, the online social gaming company will also pay a $250,000 civil penalty to settle charges that it violated the Children's Online Privacy Protection Act (COPPA) by knowingly collecting email information from about 180,000 underage children without first getting parental consent.

The proposed settlement also requires RockYou to maintain a formal data security program and prohibits it from making 'deceptive claims' about its privacy and security practices.

In a statement, RockYou CEO Lisa Marino called the settlement a "fair" one.

"We appreciate the work the FTC has done in this process as they have been fair, reasonable and timely throughout," she said. "The events that led to this complaint occurred over two years ago and we have long since removed the features that led to this investigation. The focus of our business has evolved - we no longer operate applications such as those included in the complaint."

The case against RockYou is part of a broad effort by the FTC to ensure that companies live up to their security promises, the agency said in a statement.

To date, the FTC has brought legal action against about 36 organizations for failing to protect consumer data despite each company's claims of having measures in place to protect personal data.

RockYou, a Redwood City, Calif. developer of popular social media games like Gourmet Ranch and Zoo World, disclosed in Dec. 2009 that a user database had been compromised, exposing personal identification data of some 30 million registered users.

The breach was considered to be particularly egregious by some because the password data had been stored in plain text instead of being hashed, as is common practice.

The breach happened shortly after database security vendor Imperva warned RockYou about a serious SQL injection error in a page on its site.

Despite that warning, RockYou failed to immediately address the issue, Imperva claimed at that time. Less than two days after the warning, a hacker broke into RockYou's subscriber database, and accessed the 32,603,388 email addresses and plain text passwords stored in it.

A lawsuit filed against RockYou by a consumer in connection with the case was settled last December.

The settlement with the FTC comes a few days after Verizon released a report showing that a vast majority of data breaches are avoidable and stem from causes that require relatively little effort to mitigate.

According to Verizon more than 95% of the breaches it investigated in 2011 stemmed from fundamental security mistake such as using default configurations and passwords and failing to detect SQL injection errors such a the one that resulted in the RockYou breach.

Rob Rachwald, director of security strategy at Imperva, said that it is somewhat odd that that RockYou was fined for violating COPAA requirements but not for a breach that let hackers access more than 30 million passwords.

Rachwald contends that hackers are still using passwords from the RockYou breach to break into email accounts. "If you go to any dark market, the RockYou list is the gold standard for breached password lists," Rachwald said.

SQL injection vulnerabilities of the sort that caused the RockYou breach are also very common Rachwald said.

Many hackers use vulnerability scanning tools to probe websites for SQL injection flaws that they then exploit using automated SQL injection tools such as Havij, he said.

Jaikumar Vijayan covers data security and privacy issues, financial services security and e-voting for Computerworld. Follow Jaikumar on Twitter at @jaivijayan, or subscribe to Jaikumar's RSS feed . His e-mail address is

Copyright © 2012 IDG Communications, Inc.

It’s time to break the ChatGPT habit
Shop Tech Products at Amazon