Online social gaming outfit, RockYou, has settled with the FTC after an embarrassing security snafu in 2009 allowed hackers to reveal the accounts and passwords of more than 32 million users. The company has been fined $250,000 and is required to maintain a formal security program in order to protect user accounts.
Further aggravating officials, RockYou had also publicly fibbed about the robustness of its security and privacy policies. As a result, the FTC is also prohibiting the company from making any more deceptive claims regarding such policies in the future or it will face further penalties.
RockYou's servers were breached by a 10-year old SQL injection attack. To make matters worse, account data was left unencrypted -- yes, in plain text with no attempt to obfuscate it.
If you think that's bad, RockYou was also storing third-party user credentials from partner sites like MySpace and webmail. As a result, hackers not only had access to just RockYou accounts, but also to users' Yahoo, Gmail, AOL etc. accounts too.
Out of the 32 million compromised accounts, about 179,000 were identified as under the age of 13. The FTC determined that RockYou was well aware of underage youth engaging in its social gaming services, but the company did nothing to prevent this. Allowing children under the age of 13 to participate is a direct violation of the COPPA act, a contributing factor leading to RockYou's indictment by the FTC.
So far, the FTC's effort to enforce data privacy has led to the indictment of 36 organizations, like RockYou, who have made egregious errors in taking matters of security and privacy seriously.
