RockYou to pay FTC $250K after breach of 32M passwords

Share this article:

RockYou, a company that makes games and other applications for use on social networking sites, must pay $250,000 following a settlement with the Federal Trade Commission over a massive 2009 breach.

The FTC had accused the Redwood City, Calif. firm of failing to protect the privacy of its users after a SQL vulnerability was detected, which gave hackers access to 32 million usernames and passwords stored in clear text. At least one intruder admitted to exploiting the vulnerability, and the weakness was openly discussed in hacking forums.

In addition, the FTC alleged that RockYou violated the Children's Online Privacy Protection Act Rule, which addresses websites collecting the personal information of children under 13. RockYou was charged with failing to provide a clear policy of its information handling practices, obtain parental consent prior to collecting the information, and failing to protect it. In fact, according to the FTC complaint (PDF), RockYou's privacy policy at the time said it "does not knowingly collect or maintain" any data about children under 13.

The agency said 179,000 children were affected by the breach.

In addition to the fine, RockYou is prohibited from making "deceptive claims regarding privacy and data security." In addition, the company must undergo a third-party audit every other year for 20 years and delete any personal data of children under 13.

RockYou CEO Lisa Marino, in a statement, said: "RockYou is pleased to reach a settlement and gratified to put this matter behind us. We appreciate the work the FTC has done in this process as they have been fair, reasonable and timely throughout."

In a follow-up response, she told SCMagazine.com that following the breach, the company's network was rebuilt, which included the installation of an "enterprise-class" firewall and the blocking of external access to servers storing customer data.

RockYou is still facing a lawsuit over the breach. Last year, U.S. District Court Judge Phyllis Hamilton, sitting in Oakland, Calif., dismissed five claims, but allowed four to survive, including breach of contract and negligence.

Plaintiff Alan Claridge novelly argued that RockYou's users pay for products and services by providing their credentials, which constitutes valuable property, according to court documents. A breach of that information thus causes it to lose value.

Hamilton doubted Claridge ultimately can prove this theory -- typically claimants must prove they suffered financial harm to receive a favorable ruling -- but agreed to let him try.

Share this article:
You must be a registered member of SC Magazine to post a comment.

Sign up to our newsletters

TOP COMMENTS

More in News

Information sharing requires breaking down barriers, White House cyber guru says

Information sharing requires breaking down barriers, White House ...

The White House has advanced an agenda to promote and facilitate information sharing on security threats and vulnerabilities.

Worm variant of Android ransomware, Koler, spreads via SMS

Worm variant of Android ransomware, Koler, spreads via ...

Upon infection, the Koler variant will send an SMS message to all contacts in the device's address book.

Patch for Windows flaw can be bypassed, prompts temporary fix from Microsoft

Patch for Windows flaw can be bypassed, prompts ...

The Windows zero-day received a patch last week, but the fix can still be bypassed by crafty attackers.