December 31, 2009, 2:10 PM — An Indiana man sent a popular social networking app maker a great big "piece of flair" yesterday -- in the form of a class-action lawsuit. Alan Claridge sued RockYou, creators of spamtastic Facebook and MySpace apps like "Pieces of Flair" and "SuperWall," after the company admitted to having lost over 30 million individuals' personal identification data to a hacker.
The incident -- one of 2009's top data disasters -- went unacknowledged by RockYou for almost two weeks.
How was it lost?
Remember when it used to be okay to write your computer's user name and password on a sticky note and slap it on your monitor? Oh right -- that was never okay. But that was basically what RockYou did with all of its confidential data. Instead of encrypting or taking any reasonable measure to defend itself, RockYou kept all of its stored personal data in plaintext files. Yes: .txt docs.
"RockYou recklessly and knowingly failed to take even the most basic steps to protect its users' PII (personally identifiable information) by leaving the data entirely unencrypted and availaoble for any person with a basic set of hacking skills to take the PII of at least 32 million customers," the lawsuit states.
So it was remarkably easy for the hacker known as "igigi" to exploit RockYou's SQL injection vulnerabilities (basically "poor coding"). You may remember that term from earlier this year when Heartland Payment Systems went whoopsie with millions and millions of credit card numbers. According to a copy of the lawsuit obtained by Wired, "igigi" scampered away with "the e-mails and passwords of approximately 32 million registered RockYou users."
What did RockYou do?
Not too much, according to the suit. Claridge received an e-mail from RockYou on December 16 informing him that his information may have been compromised. Meanwhile, 12 days earlier, RockYou discovered its own vulnerabilities and shut down its site.
For starters, RockYou published an apology/explanation of the attack on its Web site. "Our users' privacy and data security have always been a priority for RockYou and we strive to keep them secure. Our users have confidence in our services and we will continue to ensure that confidence is deserved," the company writes.