LifeLock Blog

A hacker let himself in through an unlocked virtual door at RockYou Inc and walked off with more than 32.6 million login names and passwords for users of Facebook, MySpace, Friendster and other social networking sites.

The login information was unencrypted and virtually unprotected, and, according to ComputerWorld, the users’ names were the same as those of the users’ Gmail, Yahoo, Hotmail or other web mail accounts. Though few people include Social Security or financial accounts information on their social media sites, any of that information in users’ web mail accounts could be accessed with accessed information.

RockYou says more than 130 million unique users take advantage of their tools for social media sites every month, including applications and services for greeting cards, horoscopes, games, emoticons and photo uploads and slideshows.

A segment of the database was posted on the hacker’s website along with his claim that he accessed 32,603,388 accounts, including their unencrypted, plain-text passwords. He warned RockYou, “Don’t lie to your customers, or i (sic) will publish everything.”

The data breach was discovered after database security firm, Imperva Inc, warned RockYou that hackers were using a serious error in their system to access to RockYou’s massive user database. At least another day passed before RockYou brought down the site, according to Imperva. RockYou said in a statement they immediate brought down the site and addressed the problem.

More than 285 million records were compromised in data breaches last year, and more than 50% of all breaches required little or no technical skill, according to the Verizon Business 2009 Data Breach Investigations Report. The investigators also reported that 83% of all data breaches could have been prevented last year if the victims had employed simple, inexpensive controls.