RockYou admits security snafu exposed email login details Social media application developer RockYou has vowed to improve its security and apply encryption following a breach that exposed 32 million user login credentials to hackers. Sensitive login credentials - stored in plain text - were left open to attack as a result of an SQL injection vulnerability in RockYou's website. In a …
...but you're still gonna get SUED! At least they should be.
Why do companies secure their sensitive data only AFTER it is revealed to all and sundry? There are responsibilities to uphold when storing such data, and keeping it anywhere in plaintext (even/especially only on 'legacy' systems) is clear negligence.
There has never been an excuse for storing passwords in plain text. Doing that and saying security is one of their priorities is right up there with, "Your call is very important to us; please continue to hold..."
Don't worry, these same geniuses are now learning about SQL injection attacks and may devise a defense some day.
>"Our users' privacy and data security have always been a priority for RockYou and we strive to keep them secure."
... because this bit just isn't true. You didn't "strive", in fact you didn't try, you didn't bother, you didn't lift a finger to "keep them secure". So we should assume that this statement represents empty marketing spin rather than brutal soul-bearing honesty. And therefore we should not "have confidence" that you will "continue to ensure" anything at all; we should have confidence that as soon as the problem is forgotten and last week's news, you will revert to type and stop taking security seriously. Because right now it's still a lower priority to you than marketing.
"Our users' privacy and data security have always been a priority for RockYou and we strive to keep them secure."
The letter "a" is the word that leaps out at me there. "a" priority, not our top priority, or an important one, just "a" priority. It's probably just below getting as many usernames and their associated data as possible.
"Our users' privacy and data security have always been a priority for RockYou and we strive to keep them secure" ...
Yet they stored passwords in plain text format. There is absolutely NO excuse for that if you "strive to keep them secure". The sad thing is I'm sure there are many other big sites that do the same thing, but the end user would never know about it until something like this happens. I guess to many people think, "Hey, they're smart enough to create this amazing web site functionality, so they MUST know what they are doing!"
"Our users' privacy and data security have always been a priority for RockYou"
No they haven't. Clearly RockYou has no one on staff with the specific task of vetting security details. Or if they do, that person is either incompetent, or has been overruled by ignorant pointy-haired bosses or the professional liars on staff.
Fucking liars!
¿Why do corporations (and government, it seems) invariably resort to lies and spin instead of saying "We seriously fucked up and the director responsible for this fiasco has been dumped. We are going to send everyone affected £10, plus we will make good any fianancial losses that may ensue."?
Don't they realize that when platitudes such as that quoted appear, no thinking person pays the slightest attention. Gaseous feel-good messages no longer cut it, guys.
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2024
