Breach, Data Security, Threat Management, Vulnerability Management

RockYou to pay FTC $250K after breach of 32M passwords

RockYou, a company that makes games and other applications for use on social networking sites, must pay $250,000 following a settlement with the Federal Trade Commission over a massive 2009 breach.

The FTC had accused the Redwood City, Calif. firm of failing to protect the privacy of its users after a SQL vulnerability was detected, which gave hackers access to 32 million usernames and passwords stored in clear text. At least one intruder admitted to exploiting the vulnerability, and the weakness was openly discussed in hacking forums.

In addition, the FTC alleged that RockYou violated the Children's Online Privacy Protection Act Rule, which addresses websites collecting the personal information of children under 13. RockYou was charged with failing to provide a clear policy of its information handling practices, obtain parental consent prior to collecting the information, and failing to protect it. In fact, according to the FTC complaint (PDF), RockYou's privacy policy at the time said it "does not knowingly collect or maintain" any data about children under 13.

The agency said 179,000 children were affected by the breach.

In addition to the fine, RockYou is prohibited from making "deceptive claims regarding privacy and data security." In addition, the company must undergo a third-party audit every other year for 20 years and delete any personal data of children under 13.

RockYou CEO Lisa Marino, in a statement, said: "RockYou is pleased to reach a settlement and gratified to put this matter behind us. We appreciate the work the FTC has done in this process as they have been fair, reasonable and timely throughout."

In a follow-up response, she told SCMagazine.com that following the breach, the company's network was rebuilt, which included the installation of an "enterprise-class" firewall and the blocking of external access to servers storing customer data.

RockYou is still facing a lawsuit over the breach. Last year, U.S. District Court Judge Phyllis Hamilton, sitting in Oakland, Calif., dismissed five claims, but allowed four to survive, including breach of contract and negligence.

Plaintiff Alan Claridge novelly argued that RockYou's users pay for products and services by providing their credentials, which constitutes valuable property, according to court documents. A breach of that information thus causes it to lose value.

Hamilton doubted Claridge ultimately can prove this theory -- typically claimants must prove they suffered financial harm to receive a favorable ruling -- but agreed to let him try.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.