Ep 33: RockYou

Troy Hunt is an Australian security researcher who runs the data breach notification service Have I Been Pwned?, which collects all public and semi-public user account data breach details that he can find. Through his website, people can search for their email address to see if their account has been breached. It has changed the way we view our account security. This site has seen 6.9 billion breached accounts, which is a significant portion of online accounts. Troy is overwhelmed by the increasing stream of data and the mental toll it takes on him. Breaches today are common, and it is essential to be vigilant about online security.

Many hackers and security professionals started their journey as teenagers who had access to a computer and an endless curiosity towards technology. Spending countless hours on computers, playing video games, learning HTML or how to code, and finding different things to learn on the internet, they mastered the craft over time. However, not everyone has this opportunity, and it should be considered a privilege to have access to a world of information right there in your bedroom and the luxury of time to spend countless hours on it. It's important to remember that hacking is illegal and can lead to serious consequences, so it's essential to use these skills in ethical ways and follow the law.

Web developers should always sanitize user inputs and parse it differently to prevent SQL injection, which is a known attack for over two decades. SQL injection can lead to unauthorized access to databases and sensitive information. In this case, Tom found a popular Czech movie database vulnerable to SQL injection and could access the user table containing usernames, hashed passwords, and email addresses of over 187,000 users. It is essential to store passwords in a hashed form to prevent their easy cracking. On discovering the database breach, the website migrated to a different database with enhanced password storage. Tom attempted to disclose the hack on a secure platform, eventually using BayWords to publish his blog post.

Tom's hacking spree was fueled by the thrill of adrenaline and the need for notoriety, targeting vulnerable websites mostly in Czech Republic and Slovakia. The popular RockYou website, making mistakes along the way, sent confidential email addresses in CC rather than BCC to their 450 ad partners twice, opening the opportunity to their competition like Zynga to recruit from them via Reply All email chain. The vice president apologized and promised to take privacy seriously but made the same embarrassing mistake two more times later on.

RockYou, a fast-growing company, had a weak password policy and was vulnerable to a SQL injection attack, which led to the theft of 32 million user accounts. Imperva, a security company, notified RockYou of the vulnerability which they tried to fix, but it was too late as a hacker named Tom had already downloaded their entire user database. The privacy policy of RockYou was not the best, and they did not notify their customers. Tom wanted to expose their weak security and get them to admit the breach, so he posted about it on his blog. This incident highlights the importance of strong password policies and the need for companies to take data security seriously.

The 2009 RockYou data breach was a result of storing passwords in clear text, making it easy for a hacker to steal 32 million usernames and passwords. The breach included social media login information that was also stored in clear text. This breach is a reminder that security should always be taken seriously, and passwords should be encrypted or hashed. The popularity of this breach led someone to extract only the passwords and post them online, making it a gold mine for hackers to try when cracking passwords. Security professionals like Amichai had to spend a long time processing this data to understand what could be learned from it. This breach provided a significant dataset of actual passwords used by people, which was previously unavailable.

Using weak and common passwords makes it easy for hackers to gain access to user accounts, and relying on brute force attacks is not an effective way to protect against attacks. The top 5000 most frequently used passwords can crack 20% of all passwords, so it is important to use strong and unique passwords to prevent credential theft attacks. The RockYou breach caused significant loss of customers and the company had to restructure its resources, but they were determined to recover and rise up again. It also highlighted the importance of password strength and sparked public discussions on the topic, leading to more awareness and improved password practices.

The RockYou data breach resulted in a class action lawsuit settlement where identifiable harm need not be proven to claim compensation. This changed the way data breach lawsuits were handled in the future and served as a warning to other online companies to protect personal identifying information. Furthermore, the breach also violated regulations under The Children's Online Privacy Protection Act when RockYou stored the personal information of children under thirteen. As a result, RockYou was fined $250,000, ordered to delete all information of children under thirteen, and undergo third-party security audits for twenty years. Despite some successes, RockYou's business model eventually failed, with the website now completely down and social media accounts deleted.

RockYou, a company that ran poker and bingo games, filed for Chapter Seven bankruptcy in New York State in 2019, leaving behind $500,000 in unpaid customer winnings and a data breach. The breach resulted in a canonical set of data called RockYou being passed around the hacking world, which is still being used today. Tom, the person responsible for the breach, kept blogging for a few days after leaking the data, but then disappeared. Even Troy Hunt, a renowned security expert, has doubts about the effectiveness of class actions against companies that suffer data breaches, suggesting that regulatory penalties may be more appropriate. The events raise questions about who should be held accountable for such data breaches.