32 Million Passwords Hacked! Thanks RockYou.com.

A relatively popular social networking application site called RockYou! has been embarrassed non-stop over the past forty-eight hours. “Good,” you might say, “They deserve it.” But any user of this site needs to be aware that his or her information (including email and passwords) has been hacked.

The site received sufficient warning of a code error from their security company, Imperva, over the weekend. This error could allow easy access to the site’s server. RockYou! had plenty of time to correct the code error before an attack happened on December 4th. The hacker claims to have obtained all 32 million users’ emails and passwords stored on the site’s server. RockYou! made it easy for the hacker to read all the information because it was not encoded at all; emails and passwords were in plain text. That is a pretty big deal. But an even bigger deal is how RockYou! informed its users of the breach… they didn’t! Claiming they would send a generic “We’re sorry for the inconvenience,” e-mail sometime yesterday, RockYou! has yet to follow through.

RockYou!’s privacy policy vaguely describes how they would handle a situation such as this one:

“If RockYou! learns of a security systems breach, then we may attempt to notify you electronically so that you can take appropriate protective steps. RockYou! may post a notice on the RockYou! Sites if a security breach occurs.”

The RockYou! blog remains silent and has recently been deactivated.

The hacker has posted some of the information on his blog with passwords not visible. He also writes (to RockYou! staff), “Don’t lie to your customers, or I will publish everything.” He means business. He has also compiled some statistics of the most frequently used passwords on Singles.org, phpBB.com, and Myspace.com.

Maybe Lance Tokuda and Jia Shen (the two founders of RockYou!) could have learned a lesson from Twitter CEO Evan Williams back in July when he committed a similar mistake.