FTC Fines RockYou $250,000 For Storing User Data In Plain Text

An anonymous reader writes "You probably don't remember the RockYou fiasco as it happened in late 2009. In case you don't, social game developer RockYou suffered a serious SQL injection flaw on its flagship website. Worse, the company was storing user details in plain text. As a result, tens of millions of login details, including those belonging to minors, were stolen and published online. Now, RockYou has finally settled with the Federal Trade Commission."

They fined RockYou like a hurricane!

[Anonymous Coward]

A category 3. Could have been worse.

Re:They fined RockYou like a hurricane!

[mcl630]

We will
We will
Rock You!

We will
We will
Fine You!

Reasons to store in plaintext

[Spy Handler]

* Some users like to be reminded of their password if they forget. If you lost your password, what kind of email would you rather get?

"Your password has been reset, and your new password is dFgk3b&4k72"

or,

"Your password is iloveyou123"

* You might decide to fire up phpmyadmin and browse the `users` table for fun one day.

* If you're going to hash the passwords, you should salt it too, and that just introduces too much complexity and things to screw up. Keep it simple!

* Your boss doesn't know what a hash is, why should you?

Re:Reasons to store in plaintext

[truedfx]

What's most wrong with that is the suggestion that one might use phpmyadmin for fun.

This isn't fair...

[Metricmouse]

RockYou did the best they could by using double ROT13 encryption of these files. So sad to see them get fined.