Do you remember the RockYou fiasco? You probably don't as it happened in late 2009. Let me refresh your memory: social game developer RockYou suffered a serious SQL injection flaw on its flagship website. Worse, the company was storing user details in plain text. As a result, tens of millions of login details, including those belonging to minors, were stolen and published online. Now, RockYou has finally settled with the Federal Trade Commission (FTC).
The FTC charged that, while touting its security features, RockYou failed to protect the privacy of its users, allowing hackers to access the personal information of 32 million users. The FTC also alleged in its complaint that RockYou violated the Children's Online Privacy Protection Act (COPPA) Rule in collecting information from approximately 179,000 children.
In agreeing to FTC's settlement, RockYou has been barred from future deceptive claims regarding privacy and data security, has to implement and maintain a data security program, must submit to security audits by independent third-party auditors every other year for 20 years, is barred from future violations of the COPPA Rule, is required to delete information collected from children under age 13, and must pay a $250,000 civil penalty. You can read the full 12-page complaint from the FTC here: PDF.
Not spelling out its collection, use and disclosure policy for children's information.
Not obtaining verifiable parental consent before collecting children's personal information.
Not maintaining reasonable procedures, such as encryption to protect the confidentiality, security, and integrity of personal information collected from children.
RockYou operated a website that allowed consumers to play games and use other applications, including one that let you create slide shows from your photos, add your own captions and music supplied by the site. To save your slide shows, you had to enter your e-mail address and password.
As a refresher, here were the top 10 passwords used by RockYou users:
If any of these resembles your password, please go change it. If you are still storing your customer data in plain text, please go encrypt it.