FTC fines RockYou $250,000 for storing user data in plain text

The Federal Trade Commission has fined social game developer RockYou $250,000 for storing 32 million e-mail addresses and passwords, including 179,000 belonging to minors, in plain text.
Written by Emil Protalinski, Contributor

Do you remember the RockYou fiasco? You probably don't as it happened in late 2009. Let me refresh your memory: social game developer RockYou suffered a serious SQL injection flaw on its flagship website. Worse, the company was storing user details in plain text. As a result, tens of millions of login details, including those belonging to minors, were stolen and published online. Now, RockYou has finally settled with the Federal Trade Commission (FTC).

The FTC charged that, while touting its security features, RockYou failed to protect the privacy of its users, allowing hackers to access the personal information of 32 million users. The FTC also alleged in its complaint that RockYou violated the Children's Online Privacy Protection Act (COPPA) Rule in collecting information from approximately 179,000 children.

In agreeing to FTC's settlement, RockYou has been barred from future deceptive claims regarding privacy and data security, has to implement and maintain a data security program, must submit to security audits by independent third-party auditors every other year for 20 years, is barred from future violations of the COPPA Rule, is required to delete information collected from children under age 13, and must pay a $250,000 civil penalty. You can read the full 12-page complaint from the FTC here: PDF.

The FTC's COPPA Rule requires that website operators notify parents and obtain their consent before they collect, use, or disclose personal information from children under 13. The Rule also requires that website operators post a clear, understandable, and complete privacy policy. The FTC alleged that RockYou knowingly collected children's email addresses and associated passwords during registration – without their parents' consent – and asked for kids' date of birth, meaning it accepted registrations from kids under 13. The FTC charged that RockYou violated the COPPA Rule by:

  • Not spelling out its collection, use and disclosure policy for children's information.
  • Not obtaining verifiable parental consent before collecting children's personal information.
  • Not maintaining reasonable procedures, such as encryption to protect the confidentiality, security, and integrity of personal information collected from children.

RockYou operated a website that allowed consumers to play games and use other applications, including one that let you create slide shows from your photos, add your own captions and music supplied by the site. To save your slide shows, you had to enter your e-mail address and password.

As a refresher, here were the top 10 passwords used by RockYou users:

  1. 123456
  2. 12345
  3. 123456789
  4. Password
  5. iloveyou
  6. princess
  7. rockyou
  8. 1234567
  9. 12345678
  10. abc123

If any of these resembles your password, please go change it. If you are still storing your customer data in plain text, please go encrypt it.

See also:

Editorial standards