RockYou, a company that makes games and other applications for use on social networking sites, must pay $250,000 following a settlement with the Federal Trade Commission over a massive 2009 breach.
The FTC had accused the Redwood City, Calif. firm of failing to protect the privacy of its users after a SQL vulnerability was detected, which gave hackers access to 32 million usernames and passwords stored in clear text. At least one intruder admitted to exploiting the vulnerability, and the weakness was openly discussed in hacking forums.
The agency said 179,000 children were affected by the breach.
In addition to the fine, RockYou is prohibited from making "deceptive claims regarding privacy and data security." In addition, the company must undergo a third-party audit every other year for 20 years and delete any personal data of children under 13.
RockYou CEO Lisa Marino, in a statement, said: "RockYou is pleased to reach a settlement and gratified to put this matter behind us. We appreciate the work the FTC has done in this process as they have been fair, reasonable and timely throughout."
In a follow-up response, she told SCMagazine.com that following the breach, the company's network was rebuilt, which included the installation of an "enterprise-class" firewall and the blocking of external access to servers storing customer data.
RockYou is still facing a lawsuit over the breach. Last year, U.S. District Court Judge Phyllis Hamilton, sitting in Oakland, Calif., dismissed five claims, but allowed four to survive, including breach of contract and negligence.
Plaintiff Alan Claridge novelly argued that RockYou's users pay for products and services by providing their credentials, which constitutes valuable property, according to court documents. A breach of that information thus causes it to lose value.
Hamilton doubted Claridge ultimately can prove this theory -- typically claimants must prove they suffered financial harm to receive a favorable ruling -- but agreed to let him try.