RockYou.com, once a successful major application developer for popular social networking websites like Facebook and MySpace, is now singing a different tune. While the technology company has enjoyed great success toward the end of 2009 and secured a significant amount in funding for its projects, it experienced a major security breach as it was ushering in the New Year. As we mentioned in an earlier post, a ton of personal information was leaked. A poor SQL database exploit allowed hackers and other clever computer geeks access to RockYou’s entire list of users and their passwords.

While outside database access is never a good thing, the situation could have went a lot smoothly for RockYou if it had protected its information using data encryption software. The company’s storage method was a little ridiculous- according to Techcrunch: ”The database included a full list of unprotected plain text passwords. And email addresses!” Not only did the company fail to keep their the database protected, they didn’t even try to secure their user’s private information! As you can imagine, the fiasco is still hurting RockYou. The site had to put up an apologetic security notice and send out messages to every user, asking them to change their password and informing them of the cyber attack.

The Rocky Future

Though RockYou has already suffered a serious blow to its reputation in the world of the technology, the worst is yet to come. A class action lawsuit has been filed against the company, lead by Alan Clardige. The complaint alleges:

“While some security threats are unavoidable in a rapidly developing technological environment, RockYou recklessly and knowingly failed to take even the most basic steps to protect its users’ personally identifiable information by leaving the data entirely unencrypted and available for any person with a basic set of hacking skills to take the PII of at least 32 million customers…

It is anyone’s guess whether the case will be heard and tried in the courts- it’s more likely that RockYou will work out some sort of settlement agreement- but the damage is already done. As a business that appears to primarily depend on investors for capital, RockYou has lost its status as a secure corporation and is likely to have trouble in the future.

Lessons to be Learned

An interview with a person claiming to be the RockYou hacker helps point out a scary truth- 30% of websites store their users’ login information without encryption, having plain text passwords on their database. While there’s no way to verify the statistic, it’s main message rings true. Most companies, even online businesses, are woefully unprepared for all the dangers of the Internet. Full disc encryption, something that should have been a standard for many years, is still unknown and unused by a multitude of companies.

It’s best to not have a shocking wake-up call like the security team at RockYou did. Choosing to purchase encryption software before disaster strikes will help avoid any P.R. disasters and let you stay out of the courtrooms. To try the proven technology we offer and protect your business, sign up for a free trial of Alertsec Xpress today!

Further Reading
RockYou Raises A Whopper – $50 Million In Venture Capital [Techcrunch]
Serious SQL flaw could have compromised millions of Rockyou.com users [Net-Security]
One Of The 32 Million With A RockYou Account? You May Want To Change All Your Passwords. Like Now. [Techcrunch]
Social Application Developer RockYou Sued After Data Breach [Softpedia]
RockYou Hacker: 30% of Sites Store Plain Text Passwords [ReadWriteWeb]