RockYou.com database breached, 32 million unencrypted passwords obtained

<p><pre><code> Our users' privacy and data security have always been a priority for RockYou and we strive to keep them secure </code></pre> No you don't

Here is hacker's blog (hosted at PirateBay's blogging platform):<p><a href="http://igigi.baywords.com/" rel="nofollow">http://igigi.baywords.com/</a><p>He seems to be on a crusade against bad security practices - RockYou was just one out of many sites he hacked (other sites are mostly Czech and Slovak).<p>Here in Slovakia, it's almost weekly media event when he hacks yet another popular local site (mobile phone operator, insurance company, no.1 portal, etc).<p>He also likes to call bullshit on companies PR nonsense released in aftermath.

I know this is old, but in this day and age, it's surprising how many companies store plaintext passwords.<p>Pandora Radio, for instance.

The breach definitely sounds illegal, but why the hell were they storing unencrypted passwords in the first place?<p>When I first learned about databases, that is the very first thing I learned never to do.

<i>We are sorry for the inconvenience this illegal intrusion onto the RockYou system has caused our users. We will continue to advise our users of any information that would help them.</i><p>To me, this is a textbook case of a non-apology apology. Allowing (unencrypted!) passwords to be stolen isn't inconvenient to users, it's a pain in the ass.

<i>one or more individuals illegally breached one of our databases</i><p>I love the fact that they mention multiple times that it was an illegal breach as if that diminishes their culpability.

I love how they follow "Our users' privacy and data security have always been a priority for RockYou and we strive to keep them secure." with a missive about how they don't follow the same security standards that every web app has used for 10 years. Their legacy system is presumably not older than their company, which has not been around since before even hobbyist web developers like myself learned not to store passwords in plain text.<p>Next we're going to find out that their system accepts the username "Delete from users WHERE"...

I know this is beating a dead horse, but encrypting your user's passwords is one of the most important things you should be doing. Failing to do so shows a complete lack of respect for your users, and demonstrates that your site/service is probably not worth using.<p>There should be a list of companies/sites that don't encrypt passwords, so we know what services to avoid. That way, next time you use the Forgot Your Password feature and they email you your plaintext password, you can add them to the list to warn others.

From: sshconnection Date: Wed, Jan 6, 2010 at 4:59 PM Subject: Engineering Lead for Social Applications To: dev-jobs@rockyou.com<p>Hi, I'm interested in your opening for Engineering Lead for Social Applications.<p>I made a PHP page as a high school project that let me log in and create blog posts. I required an admin account to log into the blog to write articles. My user table (I used MySQL as a database backend), had four columns: id, email, username, password. It sounds very simple, but please let me tell you some of the special technology I used for the password.<p>If someone used a password of "password", I would do something like this:<p>$plaintext = "password";<p>Then, I would use a function called sha1 to get a a new value of the password like this: $salt = sha1(md5($plaintext));<p>Then, I would get the final value to store as the password like so: $password = $md5($salt.$plaintext);<p>This way, the password is hidden behind what people call a hashing algorithm. That keeps people from figuring out the original password, even if they somehow got on my computer!<p>I know I have no professional programming experience, but I think that I could be a very valuable member of your team. If you're interested, please let me know!<p>-Scott

isn't this like a month or two old?

I wonder if this would be considered a "movie plot threat".<p><a href="http://news.ycombinator.com/item?id=815264" rel="nofollow">http://news.ycombinator.com/item?id=815264</a>

<i>I am sorry we lost 32 million passwords, we will encrypt them so next time we lose them its not so bad</i> - RockYou

You can hope that they encrypt your password; but never trust that they do. Use your own password database.

Stay classy RockYou.

/hugs 1Password