

RockYou.com database breached, 32 million unencrypted passwords obtained - freejoe76
http://www.rockyou.com/help/securityMessage.php

======
ivankirigin

      Our users' privacy and data security have always been 
      a priority for RockYou and we strive to keep them secure
    

No you don't

------
bd
Here is hacker's blog (hosted at PirateBay's blogging platform):

<http://igigi.baywords.com/>

He seems to be on a crusade against bad security practices - RockYou was just
one out of many sites he hacked (other sites are mostly Czech and Slovak).

Here in Slovakia, it's almost weekly media event when he hacks yet another
popular local site (mobile phone operator, insurance company, no.1 portal,
etc).

He also likes to call bullshit on companies PR nonsense released in aftermath.

~~~
potatolicious
So long as he isn't taking advantage of the data, I might even applaud this
sort of thing.

------
donw
I know this is old, but in this day and age, it's surprising how many
companies store plaintext passwords.

Pandora Radio, for instance.

~~~
jerhinesmith
Every time I create an account on some new website, I find myself wishing for
some kind of law enforcing disclosure of whether or not my password will be
stored in plaintext or encrypted.

~~~
ironkeith
I got super paranoid about that, so I created a system for creating quasi-
random passwords for different sites, but based on the same rule:

salt+[reversed first four letters of site name]+[number of digits in site
name] _not the actual rule I used, but you get the idea_

That was okay, but kind of annoying. Plus, I figured that the rule wouldn't be
overly difficult to break, and then I'd be just as screwed as if I used the
same PW for all sites.

Now I use 1Password to generate and store all of my passwords. I use dropbox
to sync it across all my computers, and if I log in to dropbox, I can access a
web interface. There's also an iPhone app, so it's not _completely_ annoying
never knowing any of my passwords, and I don't have to worry about one site
storing my PW plain text and being exploited. [Now I just need to worry about
my dropbox account getting hacked... here's hoping they don't store in plain
text ;)]

 _I don't have anything to do with 1Password, and there are a lot of other
apps out there that do the same thing._

~~~
tfincannon
Wow, this is great! Worth paying for even though KeePassX is free.

------
kevinholesh
The breach definitely sounds illegal, but why the hell were they storing
unencrypted passwords in the first place?

When I first learned about databases, that is the very first thing I learned
never to do.

~~~
qeorge
To be fair, its not that simple of a problem. At the time, Facebook Connect
didn't exist, Twitter didn't use OAuth, and I don't know what MySpace was
doing. So if you wanted to give a 3rd party app access to your account, they
had to store your password. Sure, they should have used some kind of 2 way
cipher on it, but how much safer than plain text is that anyway?

Of course, once Facebook et all started using OAuth-like protocols they should
have dropped the passwords. There's a lot of shame here for sure, but its not
quite as amateur of a mistake as it sounds on first blush.

~~~
idlewords
The post explains that no passwords to outside services were implicated in the
breach. So this is just as amateur a mistake as it sounds - storing their own
passwords in plaintext for no reason at all.

~~~
qeorge
Not true. This press release may say that, but earlier accounts disagree:

"This matter now appears worse than originally suspected as the dataset also
contains a table where RockYou have stored user credentials for social
networks and other partner sites."

[http://www.techcrunch.com/2009/12/14/rockyou-hack-
security-m...](http://www.techcrunch.com/2009/12/14/rockyou-hack-security-
myspace-facebook-passwords/)

Also, consider RockYou's initial statement, in which they would only say that
no Facebook accounts were compromised:

"RockYou confirms that no application accounts on Facebook were impacted by
this hack and that most of the accounts affected were for earlier applications
(including slideshow, glitter text, fun notes) that are no longer formally
supported by the company."

But you're right about them storing the internal passwords in clear text,
which I did not know. That is absurdly dumb.

------
mrduncan
_We are sorry for the inconvenience this illegal intrusion onto the RockYou
system has caused our users. We will continue to advise our users of any
information that would help them._

To me, this is a textbook case of a non-apology apology. Allowing
(unencrypted!) passwords to be stolen isn't inconvenient to users, it's a pain
in the ass.

~~~
goatforce5
It's less of a pain in the ass if you don't use the same password on multiple
sites.

~~~
mrduncan
I completely agree with you, but the reality is that it unfortunately happens
a lot.

------
dschobel
_one or more individuals illegally breached one of our databases_

I love the fact that they mention multiple times that it was an illegal breach
as if that diminishes their culpability.

------
mattmaroon
I love how they follow "Our users' privacy and data security have always been
a priority for RockYou and we strive to keep them secure." with a missive
about how they don't follow the same security standards that every web app has
used for 10 years. Their legacy system is presumably not older than their
company, which has not been around since before even hobbyist web developers
like myself learned not to store passwords in plain text.

Next we're going to find out that their system accepts the username "Delete
from users WHERE"...

------
rmorrison
I know this is beating a dead horse, but encrypting your user's passwords is
one of the most important things you should be doing. Failing to do so shows a
complete lack of respect for your users, and demonstrates that your
site/service is probably not worth using.

There should be a list of companies/sites that don't encrypt passwords, so we
know what services to avoid. That way, next time you use the Forgot Your
Password feature and they email you your plaintext password, you can add them
to the list to warn others.

~~~
Mark_B
Encrypted or not, the fact that a company is able to send you your original
password shows that they are not playing with a full deck.

~~~
rmorrison
Yeah, I suppose I should clarify. Instead of storing the plaintext or
encrypted version of the password, they should store a hash of the password.
Since, if/when the database gets compromised, it's even more difficult for the
attacker to retrieve the passwords.

If the passwords are just encrypted, once the attacker figures out the
algorithm, then all of the passwords will be compromised. A hash, on the other
hand, would require each account password to be broken individually.

------
sshconnection
From: sshconnection Date: Wed, Jan 6, 2010 at 4:59 PM Subject: Engineering
Lead for Social Applications To: dev-jobs@rockyou.com

Hi, I'm interested in your opening for Engineering Lead for Social
Applications.

I made a PHP page as a high school project that let me log in and create blog
posts. I required an admin account to log into the blog to write articles. My
user table (I used MySQL as a database backend), had four columns: id, email,
username, password. It sounds very simple, but please let me tell you some of
the special technology I used for the password.

If someone used a password of "password", I would do something like this:

$plaintext = "password";

Then, I would use a function called sha1 to get a a new value of the password
like this: $salt = sha1(md5($plaintext));

Then, I would get the final value to store as the password like so: $password
= $md5($salt.$plaintext);

This way, the password is hidden behind what people call a hashing algorithm.
That keeps people from figuring out the original password, even if they
somehow got on my computer!

I know I have no professional programming experience, but I think that I could
be a very valuable member of your team. If you're interested, please let me
know!

-Scott

------
pxlpshr
isn't this like a month or two old?

~~~
stse
21 days-ish: <http://news.ycombinator.com/item?id=997488>
<http://news.ycombinator.com/item?id=995634>

I really wish they would implement a feature that lists similar topics when
you are about to submit a new one.

~~~
pronoiac
I'd like to see tags here.

~~~
abossy
I like the Stack Overflow system. The "Ask Question" form submit a search when
you're finished typing out your question. It's helped me find answers to
questions before asking them that didn't appear at the top of Google's Search
Results.

------
yomamma
I wonder if this would be considered a "movie plot threat".

<http://news.ycombinator.com/item?id=815264>

------
mattwdelong
_I am sorry we lost 32 million passwords, we will encrypt them so next time we
lose them its not so bad_ \- RockYou

------
rleisti
You can hope that they encrypt your password; but never trust that they do.
Use your own password database.

------
dgreensp
Stay classy RockYou.

------
bretthoerner
/hugs 1Password

