Security Flub Exposes 32 Million Names, Passwords At Social App Site
Written by Fred J. AunWeak security at RockYou.com, a social networking application development site, allowed unauthorized access to more than 32 million user log-in credentials stored in an unencrypted database, according to the site’s chief technology officer. The SQL injection flaw allowed access to those credentials, and because “the user names and passwords are by default the same as the user’s Webmail account—such as Hotmail, Yahoo or Gmail—this is a major lapse in security,” said Amichai Shulman, the chief technology officer at Imperva, a data security vendor that detected the problem and alerted RockYou officials, but not before the data theft had happened.
RockYou publicly acknowledged the breach Wednesday (Dec. 15), warning users to change their log-in credentials for other “online destinations” if they are the same as those used for RockYou.com. In a Venturebeat.com story on the incident, RockYou CTO Jia Shen said the problem involved RockYou’s legacy widget applications, a part of the site now closed, and he admitted the passwords had been retained unencrypted. Gartner Security Analyst Avivah Litan said retailers should view the case as a warning about the potential pitfalls of the single ID movement. “This just proves the theory that if you use an aggregator and have single sign-on to multiple sites, all it takes is a break-in to compromise your access to everything else,” Litan said. “Everybody should take a pause on these single-user schemes.”
Cards issued by European banks when used online cross border don't usually support AVS checks. So, when a European card is used with a billing address that's in the US, an ecom merchant wouldn't necessarily know that the shipping zip code doesn't match the billing code.
-Marc
