RockYou password snafu exposes webmail accounts

Clueless developer airs 32m user login IDs

16 Reg comments Got Tips?

Millions of user passwords to social networking sites have been exposed, after a serious SQL injection flaw on the Rockyou.com website left login details - stored in plain text - up for grabs.

RockYou - which develops apps for social networking sites including Facebook, Bebo and MySpace - stored usernames, passwords and email addresses in plain text. That's bad enough in itself, but then an SQL injection flaw on RockYou's website exposed the information to prying eyes.

Amichai Shulman, chief technology officer with the data security firm Imperva, said the passwords exposed will often be the same as those users utilise for webmail accounts associated with their social networking profiles, creating yet more potential problems.

"The bad news is that the SQL injection flaw could have allowed hackers to access the 32 million entries of user names plus passwords in the Rockyou.com database... since the user names and passwords are by default the same as the user's webmail account — such as Hotmail, Yahoo or Gmail — this is a major lapse in security," Shulman said.

"The vast majority of subscribers to Rockyou.com are using the same credentials on the site as their regular Web email service. The users are young and security is not top of their minds, but nonetheless companies need to keep them protected and ensure their details are safe. With the popularity of web 2.0 tools, companies may focus more on becoming successful quickly at the expense of security," he added.

Screenshots illustrating the breach can be found in a story by Techchrunch here. RockYou has reportedly fixed the issue, but this may have come too late for some.

"Unfortunately some accounts had already been compromised before the vulnerability was fixed," Shulman said. "All users need to be cautious and ensure they change their email passwords as their credentials may have been put at risk."

It's unclear why RockYou left passwords on its systems without encrypting them in the first place. We dropped a note to the developers asking for a response on this point on Tuesday, but are yet to hear back. We'll update this story as and when we know more. ®

SUBSCRIBE TO OUR WEEKLY TECH NEWSLETTER


Keep Reading

Social media giants move to defy Hong Kong's new national security law

Plus: US govt says it's 'looking at' banning Chinese social media apps, including TikTok

Who's essential right now? Medicos, of course. Food producers, natch. And in Singapore social media workers have made the list

The spicy memes must flow even under new ‘circuit breaker’ corona-crackdown

UK intel committee on Russia: Social media firms should remove state disinformation. What was that, MI5? ████████?

Also (yikes): A 'complicated wiring diagram of responsibilities amongst ministers' in the event of cyber attack

Uncle Sam challenged in court for slurping social media info on 'millions' of visa applicants

Documentary filmmakers lob sue ball to halt practice

Twitter admits 130 A-lister accounts compromised to promote Bitcoin scam after 'social engineering' attack

Updated Which, let's be real, is a fancy way to say 'we got phished'

Clearview AI sued by ACLU for scraping billions of selfies from social media to power its facial-recog-for-cops system

Startup says it's covered by the First Ammendment, ta very much

'Social distancing champ' Linus Torvalds releases Linux 5.6, tells devs to put health before next release

Doesn’t anticipate slowdown because ‘I suspect a lot of us work from home even normally’

Singapore releases the robot hounds to enforce social distancing in parks

Smithers: If I really must go outside, can you arrange it so I encounter the smallest possible number of virus-laden humans?

Biting the hand that feeds IT © 1998–2020