RockYou, the popular provider of third-party apps for Facebook, MySpace and other social-networking services, is being hit with a proposed class-action accusing the company of having such poor data security that at least one hacker got away with 32 million e-mails and their passwords.
The suit accuses the maker of apps like “Slideshow” for MySpace and “Superwall” for Facebook of making its unencrypted customer data “available to even the least capable hacker.”
“RockYou failed to use hashing, salting or any other common and reasonable method of data protection and therefore drastically exacerbated the consequences of a hacker bypassing its outer layer of web security,” according to the Monday complaint in San Francisco federal court.
So-called SQL injection vulnerabilities are among the top online security defects. Hackers, for example, took advantage of such flaws to steal some 130 million credit card numbers from databases of Hannaford Brothers, 7-Eleven and Heartland Payment Systems in 2007 and 2008.
Redwood City, California-based RockYou admits the data was “breached.” The lawsuit claims a hacker known by the moniker “igigi” exploited an SQL injection flaw and “and removed the e-mails and passwords of approximately 32 million registered RockYou users.” (.pdf)
The suit also accuses the company of failing to promptly notify consumers of the Dec. 4 breach.
Wendy Zaas, a company spokeswoman, said in an e-mail that RockYou “plans to defend itself vigorously. The company takes its users’ privacy seriously.”
In a telephone interview, Zaas declined to address the merits of the allegations in the lawsuit.
Michael Aschenbrener, the lead lawyer suing RockYou, said in a telephone interview that “there was a complete breach of RockYou’s database. It does appear to be a catastrophic breach. ”
More than a week after the breach, the company recommended that its customers “change their passwords for their e-mail and other online accounts if they use the same e-mail accounts and passwords for multiple online services. ”
The company said it was working with the government to investigate the illegal breach, and has begun encrypting passwords and “reviewing our current data security features.”
The plaintiffs are seeking a court order requiring RockYou to increase its security, as well as unspecified damages.
Original post wired.com