RockYou to pay FTC $250K after breach of 32M passwords

Share this article:

RockYou, a company that makes games and other applications for use on social networking sites, must pay $250,000 following a settlement with the Federal Trade Commission over a massive 2009 breach.

The FTC had accused the Redwood City, Calif. firm of failing to protect the privacy of its users after a SQL vulnerability was detected, which gave hackers access to 32 million usernames and passwords stored in clear text. At least one intruder admitted to exploiting the vulnerability, and the weakness was openly discussed in hacking forums.

In addition, the FTC alleged that RockYou violated the Children's Online Privacy Protection Act Rule, which addresses websites collecting the personal information of children under 13. RockYou was charged with failing to provide a clear policy of its information handling practices, obtain parental consent prior to collecting the information, and failing to protect it. In fact, according to the FTC complaint (PDF), RockYou's privacy policy at the time said it "does not knowingly collect or maintain" any data about children under 13.

The agency said 179,000 children were affected by the breach.

In addition to the fine, RockYou is prohibited from making "deceptive claims regarding privacy and data security." In addition, the company must undergo a third-party audit every other year for 20 years and delete any personal data of children under 13.

RockYou CEO Lisa Marino, in a statement, said: "RockYou is pleased to reach a settlement and gratified to put this matter behind us. We appreciate the work the FTC has done in this process as they have been fair, reasonable and timely throughout."

In a follow-up response, she told SCMagazine.com that following the breach, the company's network was rebuilt, which included the installation of an "enterprise-class" firewall and the blocking of external access to servers storing customer data.

RockYou is still facing a lawsuit over the breach. Last year, U.S. District Court Judge Phyllis Hamilton, sitting in Oakland, Calif., dismissed five claims, but allowed four to survive, including breach of contract and negligence.

Plaintiff Alan Claridge novelly argued that RockYou's users pay for products and services by providing their credentials, which constitutes valuable property, according to court documents. A breach of that information thus causes it to lose value.

Hamilton doubted Claridge ultimately can prove this theory -- typically claimants must prove they suffered financial harm to receive a favorable ruling -- but agreed to let him try.

Share this article:
You must be a registered member of SC Magazine to post a comment.

Sign up to our newsletters

More in News

Beazley: employee errors root of most data breaches, but malware incidents cost ...

Insurance firm Beazley analyzed more than 1,500 data breaches it serviced between 2013 and 2014.

Apple issues seven updates, fixes more than 40 vulnerabilities in iOS 8, OS 10.9.5

Apple issues seven updates, fixes more than 40 ...

In one of its infrequent "Update Surprisedays," Apple plugged holes, boosted security and added features.

Canadian telecom co. Telus unveils first transparency report

The company received more than 100,000 government requests for customer data last year.