14 DAY TRIAL // RockYou Inc., a company developing applications for popular social networking platforms, has been sued in the Northern District of California for failing to properly protect its customer's data. The lawsuit comes after last month, a hacker broke into the company's infrastructure and stole the e-mail addresses and passwords of an estimated 32 million users.
RockYou developed and maintains some of the most popular applications on social networking websites such as Facebook, MySpace, hi5, Friendster, Orkut or Bebo. According to independent statistics, RockYou is the biggest application developer on Facebook after Zynga, with an estimated total of 64,212,394 monthly active users. For example, its "Birthday Cards" Facebook application has 31,655,727 monthly active users and ranks second on the application leaderboard.
In mid-December, news broke out that a hacker succeeded in hacking RockYou's systems and walked off with the e-mail addresses and associated passwords of 32,603,388 users. It was later revealed that the attacker had exploited an SQL injection vulnerability to get unauthorized access to the database.
The company did not immediately respond, but eventually admitted that "one or more individuals illegally breached one of our databases that contained the usernames and passwords for about 32 million users in an unencrypted format." RockYou noted that the database in question was stored on a legacy platform and recommended everyone to change their passwords.
The class action lawsuit was filed on behalf of one Alan Claridge of Evansville California and "all others similarly situated." The complaint (PDF) is centered around the fact that "while some security threats are unavoidable in a rapidly developing technological environment, RockYou recklessly and knowingly failed to take even the most basic steps to protect its users' PII [personally identifiable information] by leaving data entirely unencrypted and available for any person with a basic set of hacking skills to take [it]."
The complaint goes on to note that storing passwords in hashed form is a widely accepted industry standard for some time. However, recent similar incidents have clearly shown that many big companies, even some involved in security, fail to adhere to these guidelines. "RockYou failed to use hashing, salting, or any other common and reasonable method of data protection and therefore drastically exacerbated the consequences of a hacker bypassing its outer layer of web security."
The implications of this security breach are certainly far reaching, especially since all studies have shown that the majority of users still employ the same password over several online accounts. Additionally, in the hands of a skilled hacker, someone's e-mail account can prove highly valuable. Earlier this year, after compromising the Gmail account of a Twitter employee, a hacker used social engineering, publicly available data and the power of deduction to hack into various senior staff accounts and leak confidential corporate documents.
According to Wired, a RockYou spokesperson stressed that the company "takes its users' privacy seriously" and that "it plans to defend itself vigorously."