In 2009, RockYou.com suffered a major data breach, thanks to SQL Injection vulnerabilities. On Tuesday, the social gaming portal settled an FTC complaint related to that incident.
The RockYou.com attack resulted in the loss of 32,603,388 records, including passwords and email addresses. To this day, the RockYou.com list remains a useful dictionary for password cracking. After the incident, RockYou downplayed it, but that didn’t stop the FTC from looking into the matter.
In addition to the claims made by RockYou, which amounted to them touting their website security while being vulnerable to SQL Injection, they also collected information from 179,000 children, without obtaining parental consent. This is a violation of COPPA.
The key security measure that RockYou settled on was the fact that the information collected on the site was stored in clear text. This lack of “reasonable procedures, such as encryption” as well as the COPPA violations were the heart of the FTC’s case.
RockYou settled, and as part of their agreement, they will implement a security program that protects collected information, and submit to security audits every other year – for the next 20 years.
In addition, they will pay a $250,000 fine for the COPPA violations, and are required to delete all information from users under the age of 13.