Forgot your password?
typodupeerror
Security The Almighty Buck Your Rights Online

FTC Fines RockYou $250,000 For Storing User Data In Plain Text 127

Posted by samzenpus
from the pay-up dept.
An anonymous reader writes "You probably don't remember the RockYou fiasco as it happened in late 2009. In case you don't, social game developer RockYou suffered a serious SQL injection flaw on its flagship website. Worse, the company was storing user details in plain text. As a result, tens of millions of login details, including those belonging to minors, were stolen and published online. Now, RockYou has finally settled with the Federal Trade Commission."
This discussion has been archived. No new comments can be posted.

FTC Fines RockYou $250,000 For Storing User Data In Plain Text

Comments Filter:
  • Passwords!? (Score:5, Interesting)

    by smc170 (2609895) on Tuesday April 03, 2012 @06:32PM (#39566281) Homepage Journal
    "As a refresher, here were the top 10 passwords used by RockYou users: 123456 12345 123456789 Password iloveyou princess rockyou 1234567 12345678 abc123" Very original!
  • by l0ungeb0y (442022) on Tuesday April 03, 2012 @07:33PM (#39566869) Homepage Journal

    I advised them prior to them leaving Iconix to start RockYou and shortly after they started angel round. I'm surprised they even got funding, I saw their code when they first got going -- hideously bad. It looked like little kids had created their sad PHP "infrastructure" and Flash slideshow app. They wanted help writing crontab tasks to run queries that took several minutes -- which I was able to pare down to under a second with proper query writing. Seems they had never heard of sub-selects or how to properly structure joins.

    But, they clearly had connections within the entertainment industry and hit a chord with their target market of teenage girls and "bling" for their MySpace pages. And they got lots of money for a pretty easy concept.

    Seeing them storing sensitive user data in plain text shows that not much has changed in their "core infrastructure".
    In fact, they were doing it back then too and I told them that was bullshit -- too bad they chose not to listen.
    Hopefully they've now learned how to use PHP's MCrypt Library, or at least use hashes.
    But this security failure has been going on since 2005/2006

Take care of the luxuries and the necessities will take care of themselves. -- Lazarus Long

Working...