RockYou, a distributor and creator of applications for social networking sites, was compromised by a SQL injection attack that exposed passwords and e-mails for more than 32 million user accounts.
But perhaps just as troubling as the attack is that the passwords and e-mails of its user base were stored in the clear. By default, the user names were the same as the users’ Webmail accounts.
According to Imperva CTO Amichai Shulman, his company uncovered the issue while monitoring hacker forums. They contacted RockYou, which promptly fixed the issue, but not before someone exploited it and posted some of the data here.
RockYou did not respond to an eWEEK request for comment, but it has confirmed the breach according to other reports. In a statement to TechCrunch, RockYou said its IT team was alerted that the user database had been compromised, and that RockYou took down the site until a security patch was in place. The company also reportedly said that no application accounts on Facebook were impacted by the hack, and that most of the affected accounts were for earlier applications no longer formally supported by the company.
Still, it is important for all organizations, regardless of size, to understand what sensitive data they collect and the impact it will have on the business if it’s breached, said Gretchen Hellman, vice president of security solutions at Vormetric. From there, businesses can adopt appropriate security measures – including encryption of sensitive data stores.
“Based on resources, most organizations of a small size and early stage have not incorporated security into their business and IT practices unless they are in a field that is ‘security aware’ or have customer contractual obligations to do so,” she said. “While this shouldn’t be the case, security is rarely seen as mission critical until it’s been breached, is tied to revenue or has a regulation with severe penalties insisting that it is implemented.”
To prevent any problems, RockYou users should change their passwords, Shulman advised.