RockYou Hack: From Bad To Worse

Earlier today news spread that social application site RockYou had suffered a data breached that resulted in the exposure of over 32 Million user accounts. To compound the severity of the security breach, it was found that RockYou are storing all user account data in plain text in their database, exposing all that information to attackers. RockYou have yet to inform users of the breach, and their blog is eerily silent – but the details of the security breach are going from bad to worse.

The first issue is that RockYou attempted to downplay the entire incident, first by covering it up by not notifying users and then downplaying it in an official statement as being an issue that only affected ‘older’ applications. The hacker responsible for the initial breach published a small portion of the dataset he had retrieved and was able to show that not only did he have access to their entire database, but also passwords were stored in the clear. This matter now appears worse than originally suspected as the dataset also contains a table where RockYou have stored user credentials for social networks and other partner sites.

The database consists of a table containing partner data, and another table that has stored the credentials for those partner sites that users have entered. This includes social networks such as MySpace but also webmail accounts.

Data UserAccount [32603388]
================
1|jennaplanerunner@hotmail.com|mek*****|myspace|0|bebo.com
2|phdlance@gmail.com|mek*****|myspace|1|
3|jennaplanerunner@gmail.com|mek*****|myspace|0|
5|teamsmackage@gmail.com|pro*****|myspace|1|
6|ayul@email.com|kha*****|myspace|1|tagged.com
7|guera_n_negro@yahoo.com|emi*****|myspace|0|
8|beyootifulgirl@aol.com|hol*****|myspace|1|
9|keh2oo8@yahoo.com|cai*****|myspace|1|
10|mawabiru@yahoo.com|pur*****|myspace|1|
11|jodygold@gmail.com|att*****|myspace|1|
12|aryan_dedboy@yahoo.com|iri*****|myspace|0|
13|moe_joe_25@yahoo.com|725*****|myspace|1|
14|xxxnothingbutme@aol.com|1th*****|myspace|0|
15|meandcj069@yahoo.com|too*****|myspace|0|
16|stacey_chim@hotmail.com|cxn*****|myspace|1|
17|barne1en@cmich.edu|ilo*****|myspace|1|
18|reo154@hotmail.com|ecu*****|myspace|1|
19|natapappaslie@yahoo.com|tor*****|myspace|0|
20|ypiogirl@aol.com|tob*****|myspace|1|
21|brittanyleigh864@hotmail.com|bet*****|myspace|1|myspace.com
22|topenga68@aol.com|che*****|myspace|0|
23|marie603412@yahoo.com|cat*****|myspace|0|
24|mellowchick41@aol.com|chu*****|myspace|0|
25|baiko0o@aol.com|may*****|myspace|0|
26|indahamzah84@hotpop.com|lov*****|myspace|0|

The initial exploit took advantage of a trivial SQL injection vulnerability, a technique that has been well documented for over a decade. The method of vulnerability is extremely basic in execution, yet catastrophic in impact – which RockYou, and the sites users, are now learning the hard way. It is more of a surprise that this had not happen sooner – as the RockYou platform isĀ a swiss cheese of security vulnerabilities and poor practices.

Where RockYou Went Wrong

Poor password policies

RockYou account creation only enforced password of a minimal length of 5 characters, there was no requirement for mixed-case, numbers or punctuation. The platform actually encouraged simple passwords by not allowing any punctuation at all.

Passwords in the clear

RockYou are still storing passwords in the clear, and transporting user passwords in the clear via email. Despite the attack taking place over 10 days ago now and RockYou knowing about the attack, a user signing up for a RockYou account today will still have their password stored as plain text and emailed to them in the clear.

The password anti-pattern

RockYou prompted users to enter their third-party site credentials directly into the RockYou site when sharing data or an application. The Facebook integration requires proper Facebook authentication, and MySpace integration today applies similar techniques, but for most of the other sites the same old crazy password request form is still present. Telling your users that you will not store their password is not a solution.

Terrible Response

RockYou knew about the breach days ago, and it took a taunt from the hacker for the issue to become well-known and for RockYou to issue a response (although their users are still not aware of the issue, unless they are reading the news online).

The sites privacy policy and the related ‘security’ section state:

Our Commitment To Data Security:
RockYou! uses commercially reasonable physical, managerial, and technical safeguards to preserve the integrity and security of your personal information. We cannot, however, ensure or warrant the security of any information you transmit to RockYou! and you do so at your own risk. Once we receive your transmission of information, RockYou! makes commercially reasonable efforts to ensure the security of our systems. However, please note that this is not a guarantee that such information may not be accessed, disclosed, altered, or destroyed by breach of any of our physical, technical, or managerial safeguards.

If RockYou! learns of a security systems breach, then we may attempt to notify you electronically so that you can take appropriate protective steps. RockYou! may post a notice on the RockYou! Sites if a security breach occurs. Depending on where you live, you may have a legal right to receive notice of a security breach in writing. To receive a free written notice of a security breach (or to withdraw your consent from receiving electronic notice) you should notify us using this contact form.

Next time you sign up for a web service, take a moment to see where they stand on informing their users on a data breach, and find out just how much they respect the privacy of their users.

RockYou have beenĀ complacent with what is a very serious matter. They have not taken steps to rectify the problems that caused the breach and have not addressed their users in a suitable or adequate manner. An appropriate response would have been to take the site down for a period of a few hours and enforce that users enter new passwords, which would be stored in a hashed or encrypted form. The sad thing is that companies are able to get away with being so complacent, because most users will not find out about this, most users will never be affected by it and there is zero accountability for a users private data from service providers.

If you know of any company with similar policies, such as emailing passwords in the clear – call them out in the comments or email us on tips at beta.techcrunch.com. We will make sure that we followup with each of them, and call them out if necessary.