Researchers at database security firm Imperva discovered the flaw in RockYou.com, which provides applications and services for social networking sites like Facebook and MySpace. Imperva notified the site then issued a warning about the flaw, Amichai Shulman, CTO of Imperva, told SCMagazineUS.com on Tuesday.
But before RockYou could fix the bug, at least one hacker, using the alias “igigi,” claims to have broken into the database and obtained the RockYou credentials of all users – totaling more than 32.6 million.
He was able to steal the information because users' email addresses and passwords were stored in clear text, meaning they were not rendered unreadable through encryption or any other methods, Shulman said. Individuals must use their webmail address and password as their RockYou credentials to register for applications.“So once I get the credentials from RockYou database, I can immediately compromise the webmail account and that has far broader consequences for the victim,” he said.
On Tuesday, igigi posted a portion of the data that had been obtained through the attack and threatened to publish everything if RockYou.com did not admit fault.“Don't lie to your customers, or I will publish everything,” igigi wrote.
A RockYou spokesperson did not respond to a request for more information made by SCMagazineUS.com on Tuesday.
Others probably hacked into the database even earlier, Shulman said. Imperva researchers initially discovered the vulnerability after coming across a thread on a hacking forum, where hackers discussed the flaw and said it was being actively exploited.
“It was probably compromised before we warned them about it,” Shulman said.
He added that Imperva researchers are certain that some webmail accounts have been accessed as a result of the breach.
“I can tell you for sure that some of them have been accessed,” Shulman said. “We know that for a fact. We looked at some of those accounts and they were already flagged as abused by the webmail providers.”
The RockYou database was accessed through SQL injection, an attack process by which a hacker adds additional SQL code commands to a page request, and the web server then tries to execute those commands within the backend database. Vulnerable web applications process the extra SQL commands, which then causes the web application to leak additional information.
“SQL injection its one of the oldest tricks in the book of application-level hacking and it allows direct access to the database through the web app,” Shulman said.
Users should be advised to immediately change their webmail and RockYou passwords.
Database security is in a “crisis state” at most enterprises, Thom VanHorn, vice president of global marketing at Application Security, recently told SCMagazineUS.com.
In a recent polling conducted by Enterprise Strategy Group (ESG) on behalf of Application Security, fewer than half of information security professionals surveyed believed that their existing database security controls provide adequate protection for all databases that contain confidential data.
Gretchen Hellman, vice president of security solutions for data encryption company Vormetric, told SCMagazineUS.com on Tuesday that in the rush to get their offerings to market quickly, many companies neglect security.
“It's very typical that security is not seen as a mission critical initiative,” Hellman said. “Until security is part of the application development process and overall new services launch process, this is going to continue to happen.”
She said avoiding attacks like this requires multiple layers of strong database security measures, including access control, encryption, secure coding practices, restricting privileges and running application code vulnerability scans.
Shulman added that web application firewalls also should be considered.