FTC fines RockYou $250,000 for exposing identities of 32 million gamers

By on March 28, 2012, 5:00 PM

Online social gaming outfit, RockYou, has settled with the FTC after an embarrassing security snafu in 2009 allowed hackers to reveal the accounts and passwords of more than 32 million users. The company has been fined $250,000 and is required to maintain a formal security program in order to protect user accounts.

Further aggravating officials, RockYou had also publicly fibbed about the robustness of its security and privacy policies. As a result, the FTC is also prohibiting the company from making any more deceptive claims regarding such policies in the future or it will face further penalties.

RockYou's servers were breached by a 10-year old SQL injection attack. To make matters worse, account data was left unencrypted -- yes, in plain text with no attempt to obfuscate it.

If you think that's bad, RockYou was also storing third-party user credentials from partner sites like MySpace and webmail. As a result, hackers not only had access to just RockYou accounts, but also to users' Yahoo, Gmail, AOL etc. accounts too.

Out of the 32 million compromised accounts, about 179,000 were identified as under the age of 13. The FTC determined that RockYou was well aware of underage youth engaging in its social gaming services, but the company did nothing to prevent this. Allowing children under the age of 13 to participate is a direct violation of the COPPA act, a contributing factor leading to RockYou's indictment by the FTC.

So far, the FTC's effort to enforce data privacy has led to the indictment of 36 organizations, like RockYou, who have made egregious errors in taking matters of security and privacy seriously.

Add New Comment

TechSpot Members
Login or sign up for free,
it takes about 30 seconds.
You may also...
Get complete access to the TechSpot community. Join thousands of technology enthusiasts that contribute and share knowledge in our forum. Get a private inbox, upload your own photo gallery and more.