Remember the RockYou breach that was disclosed in December 2009? It still ranks as one of the 10 biggest breaches of all time in terms of number of records involved – 32 million users’ login credentials were involved. A lawsuit over the breach created a buzz last year when it did not get dismissed out of hand for lack of standing or failure to demonstrate unreimbursed financial harm. Now Craig Hoffman reports that there is a proposed settlement in the case: The parties in the Claridge v. RockYou case submitted a proposed settlement agreement to the court for approval on November 14, 2011. This case, which was filed shortly after RockYou disclosed a breach that compromised 32 million log-in credentials, received national attention in the spring. In April 2011, the California federal district court declined to dismiss the plaintiff’s breach of contract and negligence claims by finding that: “at the present pleading stage, plaintiff has sufficiently alleged a general basis for harm by alleging that the breach of his PII has caused him to lose some ascertainable but unidentified “value” and/or property right inherent in the PII.” Notwithstanding the court’s skepticism concerning the plaintiff’s ultimate ability to prove any actual damages, the court’s recognition of a property right in personal information sufficient to meet the Article III standing requirement was immediately advanced by plaintiffs in other similar cases. Indeed, the RockYou decision and the recent First Circuit decision in Hannaford stand out from the seemingly constant stream of decisions dismissing putative class actions filed against companies who disclose data breaches. The terms of the proposed settlement will undoubtedly raise some eyebrows because the plaintiff only gets $2,000 while the attorney gets $290,000. But the settlement would prevent a possible loss if the case goes forward and would allow the earlier ruling to stand, which might be of help to others in future cases. You can read more on Data Privacy Monitor.
From the press release: An Indiana man filed a class action lawsuit Monday against RockYou, the developer of popular online applications and services for use with social networking sites such as Facebook and MySpace, after RockYou failed to safeguard the highly sensitive personal information of him and 32 million others. The lawsuit alleges that RockYou maintained its customers’ email account and password information, as well as the login credentials for social networking sites, in an unencrypted and unsecured database. As a result, according to the lawsuit, hackers were able to harvest all of this information by utilizing a well-known and easy-to-prevent exploit. The lawsuit is brought by Alan Claridge, Jr., of the Evansville, Ind., area. According to the suit, only after the media began reporting about the data breach did RockYou notify Mr. Claridge and others of the data breach. “This alleged data breach was by no means unforeseeable. The means of attack has been well-documented for some time, as has been the means to prevent it,” explained Michael Aschenbrener, the lead attorney for the class action. “RockYou allegedly did nothing to prevent the attack or safeguard its customers’ sensitive personal information. How any company in possession of this much data could do nothing to secure it not only violates the law, but also basic common sense.” The class action seeks injunctive relief and monetary damages for failing to protect RockYou user data. On its site, RockYou had posted the following about the breach: As we previously explained, one or more individuals illegally breached one of our databases that contained the usernames and passwords for about 32 million users in an unencrypted format. It also included these users’ email addresses. This database had been kept on a legacy platform dedicated exclusively to RockYou.com widgets. After learning of the breach, we immediately shut the platform down to prevent further breaches. Importantly, RockYou does not collect user financial information associated with RockYou.com widgets. In addition, user information for users of RockYou applications on partner sites, including Facebook, MySpace, Hi5, Friendster, Bebo, Orkut, Mixi, Cyworld, etc., were not implicated by the breach. The platform breach also did not impact any advertiser or publisher information, which we maintain on a separate and secure system that is not a legacy platform. Lastly, the security breach did not affect our advertising platform or our social network applications. However, because the platform breached contained user email addresses and passwords, we recommend that our RockYou.com users change their passwords for their email and other online accounts if they use the same email accounts and passwords for multiple online services. Changing passwords may prevent anyone from gaining unauthorized access to our users’ other online accounts. We are separately communicating with our users so that they take this step and are informed of the facts. It’s hard to imagine the lawsuit prevailing. If anything, some regulatory agency might want to look at whether RockYou misled customers over its security and privacy protections, but I really don’t see how RockYou users are likely to get anywhere with this lawsuit in light of the bulk of court opinions about the need to demonstrate actual harm. Does any reader think this lawsuit has a snowball’s chance?
John Leyden reports: Social media application developer RockYou has vowed to improve its security and apply encryption following a breach that exposed 32 million user login credentials to hackers. Sensitive login credentials – stored in plain text – were left open to attack as a result of an SQL injection vulnerability in RockYou’s website. In a statement, RockYou said the exposed password credentials applied to widgets it develops and potentially exposed user password and email addresses. The developer said user credentials about RockYou applications on partner sites – including Facebook, MySpace, and Orkut – was not exposed by the admitted breach. Read more on The Register.
Jeremy Kirk reports: Hosting provider Namecheap said Monday hackers compromised some of its users’ accounts, likely using a recently disclosed list of 1.2 billion usernames and passwords compiled by Russian hackers. The “vast majority” of login attempts have failed, wrote Matt Russell, vice president of hosting, on a company blog. Read more on CSOonline. “Likely” used? Interestingly, one of the reports on the celeb nude pics hack mentioned hackers possibly using passwords obtained from another hack – the RockYou one. It’s not clear whether either of these claims are actually accurate, but it’s a good reminder of the importance of not reusing passwords across sites and of changing all your passwords.
Andy Greenberg reports: Canadian researcher Ron Bowes has created a sort of Wall of Sheep for the entire Internet. By simply collecting all the publicly-spilled repositories of users’ passwords from recent hacking incidents, he’s created a clearinghouse for stolen passwords on his Web site–14,488,929 distinct passwords to be exact, collected from 32,943,045 users. Bowes didn’t steal these passwords, and they’re not associated with usernames, an extra piece of data that would make listing them far more dangerous. All but 250,000 or so became public after the breach of RockYou.com, a social networking applications site penetrated by cybercriminals using an SQL-injection. Another 180,000 were spilled when the bulletin board software site phpbb was hacked using a vulnerability in one of the site’s plugins. 37,000 more were stolen from MySpace using phishing techniques. Read more on Forbes.
It’s been a while since I last revised my list of the largest breaches or data loss incidents worldwide, and the end of the year seems like a good time to look back at what may have been the worst incidents ever in terms of numbers. Remember when the stolen V.A. laptop made headlines in May 2006 as the biggest breach ever? Now they’re down at #7 on my list. Rank # of Records or People Entity Date of Incident or Report Type of Incident 1 130,000,000 Heartland Payment Systems 2009-01-20 Hack, Malware 2 94,000,000 TJX, Inc. 2007-01-17 Hack, Malware 3 90,000,0001 TRW/Sears Roebuck 1984-06-22 Hack 4 70,000,0002 National Archives and Records Administration 2009-10-01 Disposal 5 40,000,000 CardSystems Solutions 2005-06-17 Hack 6 30,000,0003 Deutsche Telekom 2008-11-01 Exposure 7 26,500,000 U.S. Department of Veterans Affairs 2006-05-22 Stolen Laptop 8 25,000,000 HM Revenue and Customs / TNT 2007-10-18 Lost Tapes 9 18,000,0004 Auction.co.kr 2008-02-17 Hack 9 18,000,0005 National Personnel Records Center 1973-07-12 Fire 10 17,000,000 Countrywide Financial 2008-08-01 Insider 10 17,000,000 T-Mobile 2008-10-06 Lost or Stolen Disk Notes: 1 TRW’s database held credit information on 90,000,000 and was being accessed for over a year before the company became aware of the problem. The number of records actually accessed is unknown. 2 NARA does not consider this a breach (.doc) 3 The number of records actually accessed is unknown. 4 Auction.co.kr said their number is 10.8 million and not 18 million as reported by other sources. 5 This incident, involving the loss of paper records in a fire, affected many veterans who were unable to establish their right to receive benefits. Fifteen years later, duplicates of some of the records were located elsewhere and some veterans were first able to get benefits. I’m including it on my list because NPRC was warned about fire concerns during the building’s design and planning stages, but did not implement sufficient precautions to protect the data. Notice what incidents the list doesn’t include. It doesn’t include: A Taiwanese hacking ring that affected over 50,000,000 people by hacks involving a number of organizations or databases, The recent RockYou.com hack where a hacker gained access to login details including 32,603,388 passwords in plain text, and An AOL incident where names and email addresses of 30,000,000 customers were stolen and sold for spamming purposes. Have I missed any really large data loss incidents or breaches involving personal information that should have made the Top 10 list, or did I include something that you think shouldn’t be included? If so, let me know. Image credit: “The Big Mistake” by williamhartz/Flickr, used under Creative Commons License.
Sophie Curtis reports: A SQL injection flaw on a social networking app developer site has compromised the security of users and could lead to identity theft A SQL injection flaw has been discovered in Rockyou.com – a social networking application development website used by app developers for Bebo, Facebook and Myspace. The flaw could have allowed hackers access to the 32 million usernames and passwords in the Rockyou.com database, according to data security firm Imperva. Read more on eWeek.