RockYou has come under fire recently after a SQL injection flaw resulted in a data breach which exposed over 32 million RockYou user emails and passwords. Rather than immediately solving the problem however, RockYou was complacent. As Nik Cubrilovic pointed out, “They have not taken steps to rectify the problems that caused the breach and have not addressed their users in a suitable or adequate manner. An appropriate response would have been to take the site down for a period of a few hours and enforce that users enter new passwords, which would be stored in a hashed or encrypted form.” Two weeks later a class action has been filed.
According to Wired, “RockYou, the popular provider of third-party apps for Facebook, MySpace and other social-networking services, is being hit with a proposed class-action accusing the company of having such poor data security that at least one hacker got away with 32 million e-mails and their passwords.” The suit claims that RockYou made “its unencrypted customer data ‘available to even the least capable hacker.'”
It’s a poor showing for a company which recently raised an additional $50 million in a Series D round. Good thing the company has cash though. They’ll now be able to afford a strong legal team to defend them in court. SQL injection attacks are things that beginner programmers learn about when protecting their system, making it clear that RockYou’s code was not sound.
It will be interesting to see if this suit amounts to anything. If someone puts their password in your form, you should make efforts to protect that user data, however it’s not clear how far one has to go to protect those users. Regardless of legal bearing, protecting users is critical for any company which intends to become as large as RockYou has become.