Feeds

RockYou password snafu exposes webmail accounts

Clueless developer airs 32m user login IDs

SANS - Survey on application security programs

Millions of user passwords to social networking sites have been exposed, after a serious SQL injection flaw on the Rockyou.com website left login details - stored in plain text - up for grabs.

RockYou - which develops apps for social networking sites including Facebook, Bebo and MySpace - stored usernames, passwords and email addresses in plain text. That's bad enough in itself, but then an SQL injection flaw on RockYou's website exposed the information to prying eyes.

Amichai Shulman, chief technology officer with the data security firm Imperva, said the passwords exposed will often be the same as those users utilise for webmail accounts associated with their social networking profiles, creating yet more potential problems.

"The bad news is that the SQL injection flaw could have allowed hackers to access the 32 million entries of user names plus passwords in the Rockyou.com database... since the user names and passwords are by default the same as the user's webmail account — such as Hotmail, Yahoo or Gmail — this is a major lapse in security," Shulman said.

"The vast majority of subscribers to Rockyou.com are using the same credentials on the site as their regular Web email service. The users are young and security is not top of their minds, but nonetheless companies need to keep them protected and ensure their details are safe. With the popularity of web 2.0 tools, companies may focus more on becoming successful quickly at the expense of security," he added.

Screenshots illustrating the breach can be found in a story by Techchrunch here. RockYou has reportedly fixed the issue, but this may have come too late for some.

"Unfortunately some accounts had already been compromised before the vulnerability was fixed," Shulman said. "All users need to be cautious and ensure they change their email passwords as their credentials may have been put at risk."

It's unclear why RockYou left passwords on its systems without encrypting them in the first place. We dropped a note to the developers asking for a response on this point on Tuesday, but are yet to hear back. We'll update this story as and when we know more. ®

High performance access to file storage

More from The Register

next story
Parent gabfest Mumsnet hit by SSL bug: My heart bleeds, grins hacker
Natter-board tells middle-class Britain to purée its passwords
Obama allows NSA to exploit 0-days: report
If the spooks say they need it, they get it
Mounties always get their man: Heartbleed 'hacker', 19, CUFFED
Canadian teen accused of raiding tax computers using OpenSSL bug
Samsung Galaxy S5 fingerprint scanner hacked in just 4 DAYS
Sammy's newbie cooked slower than iPhone, also costs more to build
Snowden-inspired crypto-email service Lavaboom launches
German service pays tribute to Lavabit
One year on: diplomatic fail as Chinese APT gangs get back to work
Mandiant says past 12 months shows Beijing won't call off its hackers
Call of Duty 'fragged using OpenSSL's Heartbleed exploit'
So it begins ... or maybe not, says one analyst
prev story

Whitepapers

Top three mobile application threats
Learn about three of the top mobile application security threats facing businesses today and recommendations on how to mitigate the risk.
Combat fraud and increase customer satisfaction
Based on their experience using HP ArcSight Enterprise Security Manager for IT security operations, Finansbank moved to HP ArcSight ESM for fraud management.
The benefits of software based PBX
Why you should break free from your proprietary PBX and how to leverage your existing server hardware.
Five 3D headsets to be won!
We were so impressed by the Durovis Dive headset we’ve asked the company to give some away to Reg readers.
SANS - Survey on application security programs
In this whitepaper learn about the state of application security programs and practices of 488 surveyed respondents, and discover how mature and effective these programs are.