32 million passwords in the clear, in the wild

David Heath
Tuesday, 15 December 2009 11:38

Business IT - Security

Anyone with an account on RockYou might like to RUN to every other site where they have used the same password and change it.

RockYou is an application hub publishing a number of gadgets for use on a variety of social networking sites.  Visiting their website, users are confronted with add-ons for Facebook, MySpace, Hi5 (the dating site, not the children's entertainers!), Bebo and many others.

According to reports, RockYou has around 32 million registered users.  And this is where the problems start.

According to the good folks at Imperva, it appears that there was a SQL injection flaw on the site.  This flaw allowed pretty-much unimpeded access to the back-end database.  It would appear that on December 4th someone took a copy of the entire user database.  We know this because they publicized pieces of it, with details obscured.  The link is on the TechCrunch site, but don't follow it – malware was pushed at my PC when I tried.

Unfortunately, it wasn't until at least December 14th that RockYou acknowledged the intrusion, although they claim that the intrusion was quickly detected and the site taken offline to close the loophole.

In a statement RockYou claimed that they are about to advise all users of the intrusion. 

Ten days after the intrusion, they still haven't advised the compromised accounts?

By the way – the reason everyone is up in arms about this?  The user database records contained (amongst other information) every user's email address and their RockYou password IN PLAIN TEXT!

So, if you were one of the majority of users who tend to use the same password on multiple sites, you now have a big problem.  Worse, the bad guys have a ten day head start on you.

So, what does this mean?