SAN FRANCISCO (CN) – A federal class action claims a game developer for Facebook and MySpace knowingly put the personal information of 32 million people at risk of theft by not encrypting it. The class claims RockYou touts itself as “the leading provider of Facebook and MySpace based advertising services,” but it failed to employ the most basic safeguards to protect people’s email addresses and passwords from “even the least capable hacker.”
Lead plaintiff Alan Claridge says he gave RockYou his email address in order to use a photo-sharing application, and saw that his personal information had been compromised in an email from RockYou on Dec. 16.
He claims that RockYou knew that its Structured Query Language database, an online archive commonly used by companies for storing email accounts and passwords, was seriously flawed. Since the information was stored in plain text rather than encrypted code, private data could easily be read and misappropriated by hackers, Claridge says.
The online security firm Imperva notified RockYou of a security breach on Dec. 4, the complaint states.
“According to Imperva, hackers were regularly discussing RockYou’s SQL injection vulnerability and that fact that it was being actively exploited,” according to the complaint.
In fact, Claridge says, a hacker called “igigi” already had gained access to RockYou’s database and removed 32 million email addresses and passwords before Imperva’s warning.
The complaint cites a Dec. 15 interview with SCMagazineUS.com, in which Imperva’s chief technology officer Amichai Shulman said, “‘It was probably compromised before we warned them about it. We know that for a fact. We looked at some of those accounts and they were already flagged as abused by the Web mail providers.'” Shulman acknowledged that RockYou did not immediately take down the site, as it claimed in its press release, but “waited at least one day to take action to repair the SQL vulnerability,” the complaint states.
The class seeks an injunction and damages for violation of the Consumer Legal Remedies Act, California’s Security Breach Information Act and Computer Crime Law, breach of contract and negligence. It is represented by David Parisi with Parisi and Havens of Sherman Oaks.