In December 2009, RockYou—a social networking application site—suffered a breach of its systems that exposed the email addresses and passwords of over 32 million users.
RockYou offers online applications that run on popular social networking sites such as MySpace, Facebook, and Friendster, and has over 64 million monthly users. The hacker published all 32 million passwords on the Internet (but without the matching email username information).
What went wrong? It was later discovered that the hacker had accessed the information by exploiting a SQL injection flaw, despite RockYou being previously warned of such vulnerabilities by a data security firm. Compounding the problem were RockYou’s poor password policies and practice of storing password information in clear text—in other words, unencrypted data. RockYou enforced a mere five-character minimum password length, and did not require that the passwords contain any numbers or symbols. Moreover, RockYou emailed users their passwords in clear text.
Even more disturbing are the results of a study conducted by Imperva, a data security firm. (A copy of Imperva’s report can be found at http://www.imperva.com/docs/WP_Consumer_Password_Worst_Practices.pdf). After analyzing all 32 million passwords, Imperva found that the most common password—chosen by almost 300,000 users—was “123456.” Ranked as second, third, and fourth were “12345,” “123456789,” and “Password.” Not to mention “Qwerty,” which ranked as the twentieth most commonly-chosen password. All in all, nearly 50 percent of the hacked passwords constituted names, dictionary words, slang words, or trivial passwords such as consecutive numbers.
On December 28, 2009, Alan Claridge of Indiana filed a lawsuit against RockYou in the United States District Court for the Northern District of California. Claridge, a RockYou member, is seeking class action status. The complaint alleges that RockYou failed to take adequate steps to protect users’ personally identifiable information, and contains nine causes of action, including negligence, breach of contract, and violation of California’s Security Breach Information Act. Specifically, the complaint alleges that “RockYou knowingly stored Plaintiff and the Class members’ [personally identifiable information] in an unprotected format and in a manner easily accessible to malicious intruders, in violation of its own Privacy Policy and accepted industry standards.”
Hopefully, companies learn a lesson from RockYou and take steps to tighten their data security measures. Imperva suggests that administrators enforce strong password policies, ensure that passwords are not transmitted or stored in clear text, and employ password-change protocol. Users should be encouraged to choose passwords that are longer than 6 characters and to use a combination of symbols and uppercase and lowercase letters. More importantly, users should create a different password for every online account. Many Internet users select the same passwords over numerous different online accounts, making it easy for hackers to access to users’ personal or work email accounts. A good starting point? Don’t choose “123456” as a password.