Our users’ privacy and data security have always been a priority for RockYou and we strive to keep them secure. Via.
Except, of course, when a hacker breaches security and releases 32 million passwords stored in clear-text.
The security firm Imperva had issued a warning to RockYou that there was a serious SQL Injection flaw in their database. Such a flaw could grant hackers access to the the service”™s entire list of user names and passwords in the database. At least one hacker gained access to 32 million accounts. The database included a full list of unprotected plain text passwords. And email addresses.
On the RockYou website, there is disclosure riddled with the usual corporate doublespeak. But the kicker is here:
However, because the platform breached contained user email addresses and passwords, we recommend that our RockYou.com users change their passwords for their email and other online accounts if they use the same email accounts and passwords for multiple online services. Changing passwords may prevent anyone from gaining unauthorized access to our users’ other online accounts. We are separately communicating with our users so that they take this step and are informed of the facts.
We are investigating the data breach, reviewing our security protocols, and implementing new practices to prevent this from happening again. For example, we are taking the following steps:
1. We are encrypting all passwords;
2. We are upgrading the legacy platform with the same infrastructure and industry standard security protocols we employ on our partner applications platforms;
3. We are reviewing our current data security features and ensuring that they meet industry standards and best practices; and
4. We are cooperating with Federal authorities to investigate the illegal breach of our database.
Now, we could always ask why the service had not implemented these basic practices before the breach but there is an important object lesson. The practice of using the same userid and weak password across multiple Internet accounts is clearly high risk. An analysis of the leaked passwords found that nearly half of the users used trivial passwords. The most common password was ‘123456’.
For all of my critical online accounts — banking, investing, email — I use very strong passwords. And I test the passwords on this site to be sure:
Just curious… can these password meters store your “entries” into a database which can be used against you somehow? Are they watching your entries by way of cookies or spyware?
Although it would be possible to store the passwords into some form of database, the collection of a userid is not performed and not derived and there is no association or presumption of association to any particular userid from one session to the next. And there is no trojan or virus code.
did you know that password
richard cleaver = 0% and
john smith = 7%
That is too funny. I guess I’d better not use my name as a password 🙂