RockYou's Craptastic Security

As Internet users, many of us blindly trust that companies are making reasonable efforts to protect our privacy and our data. And then you read a story like this and you consider never signing up for another "Web 2.0" service again. RockYou, social network application developer, suffered a major SQL injection attack in which a hacker was able to retrieve email addresses and passwords for millions of user accounts. To make matters worse, since RockYou integrates with other platforms like Facebook and MySpace, users' passwords for those networks were exposed as well. Part of the reason why it was so easy for the hacker to obtain the passwords was that RockYou was storing them unencrypted in their database.

This is very upsetting on many levels:

  1. It is beyond negligent to store your user's passwords in plain text. Strong encryption is easy.
  2. Better yet, let someone else handle authentication for you. That's what OpenID is for.
  3. After signup, RockYou would email its users with the username and password they'd just set up. Apparently it wasn't enough to store the passwords in plain text, they also had to send it via an insecure protocol.
  4. RockYou asked users to enter their credentials for 3rd party sites directly on their site, and they promised that they wouldn't save those 3rd party logins. Needless to say, they were lying.
  5. RockYou was informed of the vulnerability to SQL injection days before the hacker broke in and stole the passwords, and they didn't act on it.

RockYou, you're doing a heckuva job. This was the best that CTO Jia Shen could come up with:

“We started off as a small company and today we have a different engineering structure...But shame on us. If you make a mistake, then people can get in and it is a big hole...Our security approach in the future will have to be deeper.”

Umm. No shit.

So what does this mean for you and me? Well, unfortunately there's no way to know how secure your information is on any given site. Privacy policies don't generally specify that passwords are encrypted in the database, or that the site has been coded to guard against many types of SQL injections. So I guess the takeaways are: be wary of sharing sensitive information in general; use lots of different passwords for various sites you sign up for; and never enter your credentials for one site on another site. Ever. The message for developers is: let someone else handle your login process via OpenID.

Read RockYou Hack: From Bad To Worse