SQL injections are one of the biggest problems in web application security—we’ve seen it with Heartland, 7-Eleven and Hannaford Brothers, and now RockYou. These attacks are widely known and publicized; however, it still takes companies, who have experienced attacks, 67 days to resolve these issues!
Early December, RockYou, provider of third-party apps for Facebook, MySpace and other social-networking, suffered a data breach that exposed nearly 32 million RockYou users’ e-mails and passwords. This information had been stored in plain text and was vulnerable through a SQL security hole. Now, Alan Claridge, an affected user, filed for a proposed class action lawsuit on December 28 for failing to properly secure his data, allowing hacker ‘igigi’ to gain access to it and failing to promptly notify him about it.
Although, we are not certain of the exact technology being used by RockYou, but if a dWAF was being used it could have prevented this hack and saved the company from this disaster. More importantly, RockYou could have protected its’ customers’ PII (personal identifiable information). Because a dWAF is flexible it allows patches to be applied with minimal disruption to the network—quite helpful for situations like these.
Moving forward RockYou will be further investigating the breach, reviewing its security protocols and implementing new practices:
- Encrypting all passwords
- Upgrading the legacy platform with the same infrastructure and industry standard security protocols we employ on our partner applications platforms
- Reviewing our current data security features and ensuring that they meet industry standards and best practices
To read more background on the RockYou breach check out SC Magazine’s article.
Follow this discussion on Twitter @hyperguard