FTC Charges That Security Flaws in RockYou Game Site Exposed 32 Million Email Addresses and Passwords
The Federal Trade Commission announced a proposed settlement with RockYou, a company that makes applications for social networking (including Facebook), concerning RockYou’s security problems, which affected the privacy of its users, including children. In December 2009, it was revealed that RockYou “had suffered a data breached that resulted in the exposure of over 32 Million user accounts. To compound the severity of the security breach, it was found that RockYou are storing all user account data in plain text in their database, exposing all that information to attackers,” reported TechCrunch. RockYou also faced a class-action lawsuit over the privacy breach. This FTC enforcement action is a response to that security breach. The FTC said in its announcement of the proposed settlement:
The operator of a social game site has agreed to settle charges that, while touting its security features, it failed to protect the privacy of its users, allowing hackers to access the personal information of 32 million users. The Federal Trade Commission also alleged in its complaint against RockYou that RockYou violated the Children’s Online Privacy Protection Act Rule (COPPA Rule) in collecting information from approximately 179,000 children. The proposed FTC settlement order with the company bars future deceptive claims by the company regarding privacy and data security, requires it to implement and maintain a data security program, bars future violations of the COPPA Rule, and requires it to pay a $250,000 civil penalty to settle the COPPA charges. […]
The FTC alleged that RockYou knowingly collected approximately 179,000 children’s email addresses and associated passwords during registration – without their parents’ consent – and enabled children to create personal profiles and post personal information on slide shows that could be shared online. The company asked for kids’ date of birth, and so accepted registrations from kids under 13. In addition, the company’s security failures put users’ including children’s personal information at risk, according to the FTC. The FTC charged that RockYou violated the COPPA Rule by:
- not spelling out its collection, use and disclosure policy for children’s information;
- not obtaining verifiable parental consent before collecting children’s personal information; and
- not maintaining reasonable procedures, such as encryption to protect the confidentiality, security, and integrity of personal information collected from children.
The proposed settlement order bars deceptive claims regarding privacy and data security and requires RockYou to implement a data security program and submit to security audits by independent third-party auditors every other year for 20 years. It also requires RockYou to delete information collected from children under age 13 and bars violations of COPPA. Finally, RockYou will pay a $250,000 civil penalty for its alleged COPPA violations.
The FTC complaint (pdf) noted RockYou’s insecure transmission of passwords:
RockYou’s practices posed a significant risk of harm to consumers. First, RockYou exposed the RockYou user accounts to account takeover by storing the RockYou passwords in clear text, allowing unauthorized access to private data stored in RockYou accounts, such as photographs. Second, RockYou’s practices created the risk of unauthorized access to users’ email accounts. RockYou’s practice of initially collecting email account passwords and storing them in clear text, even temporarily, created the risk of unauthorized access to such passwords and, therefore, to users’ email accounts. Moreover, it is commonly known that users often reuse passwords for different accounts.
In a posting on the agency’s new tech blog, FTC Chief Technologist Ed Felten details the security problems of RockYou that led to the charges and proposed settlement. You can read the full FTC complaint and consent decree here.