December 31, 2009, 2:10 PM — An Indiana man sent a popular social networking app maker a great big "piece of flair" yesterday -- in the form of a class-action lawsuit. Alan Claridge sued RockYou, creators of spamtastic Facebook and MySpace apps like "Pieces of Flair" and "SuperWall," after the company admitted to having lost over 30 million individuals' personal identification data to a hacker.
The incident -- one of 2009's top data disasters -- went unacknowledged by RockYou for almost two weeks.
How was it lost?
Remember when it used to be okay to write your computer's user name and password on a sticky note and slap it on your monitor? Oh right -- that was never okay. But that was basically what RockYou did with all of its confidential data. Instead of encrypting or taking any reasonable measure to defend itself, RockYou kept all of its stored personal data in plaintext files. Yes: .txt docs.
"RockYou recklessly and knowingly failed to take even the most basic steps to protect its users' PII (personally identifiable information) by leaving the data entirely unencrypted and availaoble for any person with a basic set of hacking skills to take the PII of at least 32 million customers," the lawsuit states.
So it was remarkably easy for the hacker known as "igigi" to exploit RockYou's SQL injection vulnerabilities (basically "poor coding"). You may remember that term from earlier this year when Heartland Payment Systems went whoopsie with millions and millions of credit card numbers. According to a copy of the lawsuit obtained by Wired, "igigi" scampered away with "the e-mails and passwords of approximately 32 million registered RockYou users."
What did RockYou do?
Not too much, according to the suit. Claridge received an e-mail from RockYou on December 16 informing him that his information may have been compromised. Meanwhile, 12 days earlier, RockYou discovered its own vulnerabilities and shut down its site.
What's next?
For starters, RockYou published an apology/explanation of the attack on its Web site. "Our users' privacy and data security have always been a priority for RockYou and we strive to keep them secure. Our users have confidence in our services and we will continue to ensure that confidence is deserved," the company writes.
Further, RockYou plans to investigate, review, and implement "new practices to prevent this from happening again." RockYou cited the following steps:
We are encrypting all passwords; We are upgrading the legacy platform with the same infrastructure and industry standard security protocols we employ on our partner applications platforms;\ We are reviewing our current data security features and ensuring that they meet industry standards and best practices; and We are cooperating with Federal authorities to investigate the illegal breach of our database.
The lawsuit, which was filed in the U.S. District Court in San Francisco, contains nine counts, including negligence, breach of contract, violation of California's Computer Crime Law, and California's Security Breach Information Act, among others. The suit demands that RockYou protects customer data, and also seeks "unspecified damages."
With this kind of pressure bearing down on its shoulders, RockYou should quickly clean up its act. But the principle of the matter hangs heavy: how are we supposed to enjoy harmless social networking apps when matters can turn so unexpectedly sour? RockYou's failure to protect its customers and its 12-day wait before informing anyone of the hack exposes a strain of negligence that simply should not exist in this Internet age.
