RockYou's users are to be informed over the coming weeks that their passwords have been compromised - but it took the company ten days to make that move.
If you've ever used a site called RockYou - a publisher of gadgets for social networking sites - you might want to retire your password, as it has almost certainly fallen into the hands of ne'er-do-wells.
As reported over on TechCrunch
the site has fallen victim to an SQL injection attack which allowed crackers access to the entire back-end database - including unencrypted passwords.
While gaining access to personal information like this is pretty serious, it's made rather worse by the fact that the site has around 32 million active accounts - according to the cracker himself, 32,603,388 - all with plaintext passwords. Warning RockYou that if they refused to tell their customers of the security breach he would "publish everything
," the cracker backed up his claims by posting suitably redacted extracts from the database.
The breach is made more severe by the very nature of the users targeted by the site: on average, users of social network such as Facebook or MySpace are more likely to use a single password across multiple sites - meaning that the password leaked as part of the RockYou database crack could well be valid for other, more serious, sites including e-mail accounts and on-line banking.
Indeed, the company even appears to have been storing usernames and passwords for third-party accounts
- such as linked Hotmail and MySpace accounts that users have entered the information for - in plaintext.
Talking to VentureBeat
, RockYou's chief technology officer Jia Shen has admitted that the crack is extremely serious, and confirms that passwords were not stored in a non-reversible hashed form and that the database had no encryption - both serious breaches of data security best practice. Shen also stated that the company was taking steps to inform its users of the breach, and admitted that the company had known of the attack for at least ten days without going public to warn its customers.
Are you amazed that a company can grow so large and still be so clueless about data security, or is this one of the problems we will have to face with the growth of Web 2.0? Share your thoughts over in the forums