Social networking applications provider RockYou, who provides applications like Slideshow for MySpace and Superwall for Facebook, was hit by a suit filed last Monday in U.S. District Court in San Francisco due to a major security breach which exposed the email and password information of an alleged 32 million users. Plaintiff Alan Claridge of Evansville, Indiana, claims that hackers were easily able to breach the security RockYou placed on their database containing user information. The complaint includes actions for negligence, breach of contract and breach of California's Security Breach Information Act, among others. At this time, the damages are unspecified.
Claridge claims that RockYou was informed by security company Imperva on December 4 that their database had been breached. But wait, even this part of the process might point up a few holes in the company's security structure. According to Cnet News, the security firm learned about the problem from "underground hackers forums." Allegedly, RockYou had been hit with a common type of exploit known as a "SQL injection flaw" that targets information stored in databases, and it seems hackers were regularly discussing the fact that the hole at RockYou was being exploited. Thank goodness for bragging hackers.
Upon discovering the breach, the suit further claims that the company took 10 to 12 days to inform users of the problem. It did not post a warning on its site and took at least a day to actually fix the security leak. Even though the exposure of a password to a photo app provider may not sound like a serious security issue, most users utilize the same password across a broad spectrum of internet accounts, thus enabling hackers to gain access with one password to many other avenues of personal information.
Claridge and his attorneys are currently seeking class action status for the suit. RockYou responded to the suit in a prepared statement: "RockYou is aware of the class action suit brought by Alan Claridge and plans to defend itself vigorously. The company takes its users' privacy seriously."