File under FAIL: social network widget maker RockYou has fallen victim to a SQL injection flaw and as a result some 32.6 million users are being urged to change their passwords as a matter of urgency.

Security specialists Imperva discovered the problem at social networking development site Rockyou.com and issued a warning to users of its applications earlier this week. "Rockyou.com is not just any software site. Since its creation in 2006, it's become the hub for many social networking sites such as Bebo, Facebook and Myspace, to mention but a few" said Amichai Shulman, Imperva CTO.

Shulman claimed that the "vast majority" of user names and passwords were, by default, the same as the users webmail accounts, adding "the users are young and security is not top of mind, but nonetheless companies need to keep them protected and ensure their details are safe... it is the responsibility of application owners to protect the information trusted to them by users".

TechCrunch reports that the hacker exploit took advantage of a "trivial SQL injection vulnerability" which "has been well documented for over a decade" and is "extremely basic in execution, yet catastrophic in impact". Worse yet, it points out that RockYou only requires 5 character passwords, and that these were stored in plain text. If this were not bad enough, users of RockYou widgets were prompted to "enter their third-party site credentials directly into the RockYou site when sharing data or an application". Indeed, SQL injection exploits are nothing new and have hit the most unlikely of people including security experts Kaspersky. That said, I agree with TechCrunch that this really does look like it was a security disaster just waiting to happen. Not least thanks to a basic misunderstanding of the importance of a secure password strategy.

RockYou, meanwhile, have made the following security statement:

Our users' privacy and data security have always been a priority for RockYou and we strive to keep them secure. Our users have confidence in our services and we will continue to ensure that confidence is deserved.

As we previously explained, one or more individuals illegally breached one of our databases that contained the usernames and passwords for about 32 million users in an unencrypted format. It also included these users' email addresses. This database had been kept on a legacy platform dedicated exclusively to RockYou.com widgets. After learning of the breach, we immediately shut the platform down to prevent further breaches.

Importantly, RockYou does not collect user financial information associated with RockYou.com widgets. In addition, user information for users of RockYou applications on partner sites, including Facebook, MySpace, Hi5, Friendster, Bebo, Orkut, Mixi, Cyworld, etc., were not implicated by the breach. The platform breach also did not impact any advertiser or publisher information, which we maintain on a separate and secure system that is not a legacy platform. Lastly, the security breach did not affect our advertising platform or our social network applications.

However, because the platform breached contained user email addresses and passwords, we recommend that our RockYou.com users change their passwords for their email and other online accounts if they use the same email accounts and passwords for multiple online services. Changing passwords may prevent anyone from gaining unauthorized access to our users' other online accounts. We are separately communicating with our users so that they take this step and are informed of the facts.

We are investigating the data breach, reviewing our security protocols, and implementing new practices to prevent this from happening again. For example, we are taking the following steps:

1. We are encrypting all passwords;
2. We are upgrading the legacy platform with the same infrastructure and industry standard security protocols we employ on our partner applications platforms;
3. We are reviewing our current data security features and ensuring that they meet industry standards and best practices; and
4. We are cooperating with Federal authorities to investigate the illegal breach of our database.

We are sorry for the inconvenience this illegal intrusion onto the RockYou system has caused our users. We will continue to advise our users of any information that would help them.

As Editorial Director and Managing Analyst with IT Security Thing I am putting more than two decades of consulting experience into providing opinionated insight regarding the security threat landscape for IT security professionals. As an Editorial Fellow with Dennis Publishing, I bring more than two decades of writing experience across the technology industry into publications such as Alphr, IT Pro and (in good old fashioned print) PC Pro. I also write for SC Magazine UK and Infosecurity, as well as The Times and Sunday Times newspapers. Along the way I have been honoured with a Technology Journalist of the Year award, and three Information Security Journalist of the Year awards. Most humbling, though, was the Enigma Award for 'lifetime contribution to IT security journalism' bestowed on me in 2011.

7 Years
Discussion Span
Last Post by Alex_

Amazing how many companies clearly don't encrypt their password database. Just look, for example, at banks which ask for the 2nd and 9th character of your password when you log in. The only way they could do this is if their copy isn't encrypted.


Where can i find this "trivial SQL injection vulnerability" documented? I want to read about it.

Have something to contribute to this discussion? Please be thoughtful, detailed and courteous, and be sure to adhere to our posting rules.