RockYou hack exposes names, passwords of 30M accounts

SQL injection flaw blamed for intrusion at social networking app vendor

Hackers breached a database at social networking application maker RockYou Inc. and accessed username and password information on more than 30 million individuals with accounts at the company.

The passwords and user names were stored in clear text on the compromised database and the user names were by default the same as the users Gmail, Yahoo, Hotmail or other Web mail account.

RockYou did not immediately respond to a request for comment on the incident. In a statement sent to Tech Crunch, which first reported the breach, RockYou confirmed that a user database had been compromised that potentially exposed some "personal identification data" for about 30 million registered users. The company learned of the breach Dec. 4 and promptly shut down the site while the problem was addressed, the statement said.

Redwood City, Calif.-based RockYou offers widgets that are used widely on social networking sites such as Facebook, MySpace, Friendster and Orkut. The company bills itself as a leading provider of social networking application-based advertising services with more than 130 million unique users using its applications monthly.

The breach was discovered shortly after database security vendor Imperva Inc. informed RockYou of a major SQL injection error it had uncovered on a page on RockYou's Web site.

Amichai Shulman, Imperva's chief technology officer, said the company learned of the vulnerability on RockYou's Web site - and the fact that it was being actively exploited - as part of its regular monitoring of underground chat rooms.

Shulman said Imperva informed RockYou of the SQL flaw and that it allowed hackers to access the entire contents of RockYou's user database. RockYou did not respond to Imperva, nor did it appear to immediately take down its site as it claimed in its statement to Tech Crunch, Shulman said. The flaw was present for a day or more after Imperva informed RockYou of the issue before it was addressed he said.

In the meantime, a hacker had accessed the entire database and posted samples of the data on his Web site. The hacker claimed to have accessed 32,603,388 accounts complete with plain text passwords. "Don't lie to your customers, or i will publish everything," the hacker wrote in an apparent admonition to RockYou.

The incident is another example of how, many companies continue to remain exposed to SQL injection flaws, Shulman said.

In SQL injection attacks, hackers take advantage of poorly coded Web application software to introduce malicious code into a company's systems and network. The vulnerability exists when a Web application fails to properly filter or validate the data a user might enter on a Web page -- such as when ordering something online. An attacker can take advantage of this input validation error to send a malformed SQL query to the underlying database to break into it, plant malicious code or access other systems on the network. SQL injection flaws have consistently been among the top Web application security problems for the past several years.

What is especially troubling about this incident is that RockYou stored its password data in plain text form instead of hashing it, a common security practice, Shulman said. Hackers could use the data to compromise the Web mail accounts of the affected users and then use that access to compromise other accounts, Shulman warned.

Since the data that was breached did not include financially sensitive data or Social Security numbers there's a strong possibility that those responsible for the hack were not financially motivated, said Gretchen Hellman, vice president of security solutions at Vormetric, a vendor of database security products. Rather, the hack appears to be an attempt to highlight some of the privacy pitfalls of social networking, she added.

Jaikumar Vijayan covers data security and privacy issues, financial services security and e-voting for Computerworld. Follow Jaikumar on Twitter @jaivijayan, send e-mail at or subscribe to Jaikumar's RSS feed .

Copyright © 2009 IDG Communications, Inc.

Bing’s AI chatbot came to work for me. I had to fire it.
Shop Tech Products at Amazon