Use Rock You? Change Password NOW!!

[Clair de la Lune]

One Of The 32 Million With A RockYou Account? You May Want To Change All Your Passwords. Like Now.

• 20 Comments
• 323 retweet TOP100
  
• Share40

by MG Siegler on December 14, 2009

It’s no secret that most people use the same password over and over again for most of the services they sign up for. While it’s obviously convenient, this becomes a major problem if one of those services is compromised. And that looks to be the case with RockYou, the social network app maker.
Over the weekend, the security firm Imperva issued a warning to RockYou that there was a serious SQL Injection flaw in their database. Such a flaw could grant hackers access to the the service’s entire list of user names and passwords in the database, they warned. Imperva said that after it notified RockYou about the flaw, it was apparently fixed over the weekend. But that’s not before at least one hacker gained access to what they claim is all of the 32 million accounts. 32,603,388 to be exact. The best part? The database included a full list of unprotected plain text passwords. And email addresses. Wow.
The hacker has posted a sample of what they found. They have blanked out the passwords for now, but warns, “Don’t lie to your customers, or i will publish everything.” As far as we can tell, RockYou hasn’t issued a warning about this to its users yet. We’ve reached out to the company, but have yet to hear back.
RockYou has a history of stupidity. See here, here, and here. This may take the cake.
Update: Here’s the statement we were given by RockYou on the situation:

“On December 4, RockYou’s IT team was alerted that the user database on RockYou.com had been compromised, potentially revealing some personal identification data for approximately 30M registered users on RockYou.com. RockYou immediately brought down the site and kept it down until a security patch was in place. RockYou confirms that no application accounts on Facebook were impacted by this hack and that most of the accounts affected were for earlier applications (including slideshow, glitter text, fun notes) that are no longer formally supported by the company. RockYou has secured the site and is in the process of informing all registered users that the hack took place.”

They also say that they plan to issue the following email to users in the next 24 hours:

Dear RockYou user,
As you know, RockYou takes our users privacy very seriously. We take
a lot of effort to protect user data from security breaches and attacks.
Unfortunately, RockYou has very recently learned that it encountered a security breach. As part of this breach, it is possible that someone may have accessed at least your email address and password for the RockYou system. We felt it was important to notify you of this immediately so that you could take any action you feel necessary to protect your privacy.
If you have any questions, please feel free to contact security@rockyou.com. We are sorry for any problems this has caused you.
The RockYou team

Hmm “we felt it was important to notify you immediately” … 10 days later? And what’s the excuse for the plain-text passwords? FAIL.
[thanks ES]
[photo: flickr/naughty architect]
.cbw{ padding: 1px; border: 1px solid #b6b6b6; margin: .6em 0 .6em 0 !important; clear: both;} .cbw a{ color: #3F87BB !important; border: 0 !important; text-decoration: none !important;} .cbw a:hover{ color: #165d91 !important; border: 0 !important; text-decoration: none !important;} .cbw_header{ font-size: .9em; font-weight: bold; position: relative;} .cbw_header_text{ background: #f4f4f4 !important; padding: 1em 1em 1em 1em !important;} .cbw_header_toggle{ display: block; position: absolute; top: 1em; right: 1em; _right: 3.5em; font-weight: bold; cursor: pointer;} .cbw_header_get{ display: block; position: absolute; top: 1em; right: 7em; _right: 9.5em; font-weight: bold; cursor: pointer;} .cbw_subheader{ padding: .7em .7em .5em .7em !important; border: 0 !important; margin: 0 !important; font-size: 1.2em !important; background: #f4f4f4 !important; font-weight: bold;} .cbw_subcontent{ font-size: 0.95em; line-height: 1.2em !important; margin: .15em 0 .15em 0 !important; padding: .7em !important; background: white !important; border-top: 2px solid #f4f4f4 !important; border-bottom: 2px solid #f9f9f9 !important; overflow: hidden; height: auto;} .cbw_subcontent p{ margin: .45em .15em .45em .15em !important; padding: 0 !important;} .cbw_subcontent_left{ float: right !important; margin: 0 0 .5em .5em !important;} .cbw img{ max-width: 150px !important; max-height: 150px !important; border: 0 !important; padding: 0 !important;} .cbw img:hover, .cbw_subcontent_left a:hover{ border: 0 !important;} .cbw_subcontent_right{ } .cbw_subcontent table{ width: auto !important;} .cbw_subcontent td{ padding: .15em !important; vertical-align: top !important;} .cbw_subcontent .td_left{ width: 40px !important; font-weight: bold !important;} .cbw_footer{ padding: .8em !important; font-size: .9em !important; text-align: right !important; background: #f9f9f9 !important;} .cbw_footer a{ font-weight: bold; } .cbw_header_text { display: none; } get widgetminimize CrunchBase Information

RockYou

Website: rockyou.com Location:Redwood City, California, United States Founded: November, 2005 Funding: $119M Netpickle maker of RockYou (originally named RockMySpace) creates and distributes self-expression widgets. The widgets can be used to enhance the look and feel of blogs, personal websites and personal pages on social networks such as Facebook,… Learn More


Information provided by CrunchBase

[Sequoia]

What's "RockYou"?

[Clair de la Lune]

Rock You is an application on Facebook or MySpace and possibly some other social networking sites. I got this information from Twitter. Some people use Rock You to add glitter text, to enhance certain features of their site, for backgrounds, to create a picture slide show or cube, for cartoonizing their profile picture, games, applications, among other things. I think it describes some of the applications in the article above.