bit-tech.net

RockYou passwords stolen

RockYou passwords stolen

RockYou's users are to be informed over the coming weeks that their passwords have been compromised - but it took the company ten days to make that move.

If you've ever used a site called RockYou - a publisher of gadgets for social networking sites - you might want to retire your password, as it has almost certainly fallen into the hands of ne'er-do-wells.

As reported over on TechCrunch the site has fallen victim to an SQL injection attack which allowed crackers access to the entire back-end database - including unencrypted passwords.

While gaining access to personal information like this is pretty serious, it's made rather worse by the fact that the site has around 32 million active accounts - according to the cracker himself, 32,603,388 - all with plaintext passwords. Warning RockYou that if they refused to tell their customers of the security breach he would "publish everything," the cracker backed up his claims by posting suitably redacted extracts from the database.

The breach is made more severe by the very nature of the users targeted by the site: on average, users of social network such as Facebook or MySpace are more likely to use a single password across multiple sites - meaning that the password leaked as part of the RockYou database crack could well be valid for other, more serious, sites including e-mail accounts and on-line banking.

Indeed, the company even appears to have been storing usernames and passwords for third-party accounts - such as linked Hotmail and MySpace accounts that users have entered the information for - in plaintext.

Talking to VentureBeat, RockYou's chief technology officer Jia Shen has admitted that the crack is extremely serious, and confirms that passwords were not stored in a non-reversible hashed form and that the database had no encryption - both serious breaches of data security best practice. Shen also stated that the company was taking steps to inform its users of the breach, and admitted that the company had known of the attack for at least ten days without going public to warn its customers.

Are you amazed that a company can grow so large and still be so clueless about data security, or is this one of the problems we will have to face with the growth of Web 2.0? Share your thoughts over in the forums.

14 Comments

Discuss in the forums Reply
mi1ez 16th December 2009, 13:46 Quote
These people sound like idiots, but I wonder how many other companies have databases that are similarly unsecure...

I'll bet it's more than we'd even like to think about!
proxess 16th December 2009, 13:49 Quote
Quote:
Originally Posted by mi1ez
These people sound like idiots, but I wonder how many other companies have databases that are similarly unsecure...

I'll bet it's more than we'd even like to think about!

+1
NickCPC 16th December 2009, 13:50 Quote
Most of their "gadgets" are rubbish anyway, I'm glad I don't use their "services".
NuTech 16th December 2009, 14:07 Quote
Why on earth would they store passwords in their database? That's as irresponsible as it gets.

This quote on their homepage made me laugh too -
Quote:
As you know, RockYou takes our users privacy very seriously. We take a lot of effort to protect user data from security breaches and attacks.

No, obviously we don't 'know'...
BradShort 16th December 2009, 14:13 Quote
no need to keep passwords, n00bs. If your data is that insecure i believe you should be able to sue.....
sear 16th December 2009, 15:35 Quote
This is why you keep your personal information off the Internet as much as you can. Nothing is safe or secure anymore.
TomH 16th December 2009, 15:42 Quote
Quote:
Originally Posted by proxess
Quote:
Originally Posted by mi1ez
These people sound like idiots, but I wonder how many other companies have databases that are similarly unsecure...

I'll bet it's more than we'd even like to think about!

+1
+2^9000
Mr T 16th December 2009, 15:44 Quote
What kind of n00b stores passwords in plaintext >_<
mclean007 16th December 2009, 16:34 Quote
And that concludes lesson 101 in why you shouldn't rely on SSL alone to secure user data - just because the user session is secure from snooping doesn't mean someone can't extract the data from your database. At an absolute minimum, passwords should be irreversibly hashed before being entered into a database. Preferably use a salt with hmac (http://uk3.php.net/manual/en/function.hash-hmac.php) to prevent simple collision searches on hashed data. Hashing does increase database size (a typical password might be 8 chars, a typical hash is 128 or 160 bit, i.e. 32/40 hex chars or 27/22 base 64 chars) but that is a small price to pay, and the difference is unlikely to have substantial diskspace / performance implications unless we're talking about a database the size of Facebook's.

Also, encrypting everything isn't a bad idea (though usability / performance implications may make it impractical). Lastly, what clown left the backdoor open? It isn't hard to unescape every user passed parameter to guard against mySQL injection. http://uk3.php.net/manual/en/function.mysql-real-escape-string.php
mclean007 16th December 2009, 16:38 Quote
double post
bigsharn 16th December 2009, 17:20 Quote
I think I've got a Bebo with RockYou Horoscope on it from about 4 years ago with the name Bigsharn Macwartbutt and the address of the whitehouse... so I'm not worried :p
1ad7 17th December 2009, 05:31 Quote
Awesome... wow... that's retarded.
airchie 18th December 2009, 01:27 Quote
That is some special skills right there...
sub routine 18th December 2009, 06:42 Quote
pfft no encryption,

10 days to inform everyone.

What a bunch of c*Nts
Log in

You are not logged in, please login with your forum account below. If you don't already have an account please register to start contributing.



Discuss in the forums