RockYou settles with FTC over massive data breach

Social game site RockYou is in hot water with the Federal Trade Commission over a hack that exposed millions of email addresses and passwords to hackers.

RockYou operated a website allowing people to assemble slide shows, whcih could be saved only be entering their email address and password. This data, though, was stored in plain text.

And when in 2009 the site was hacked, exploiting an SQL vulnerability of which the company was already aware, more than 32 million user records were stolen.

RockYou also, says the FTC, violated the Children’s Online Privacy Protection Act Rule (COPPA Rule) by collecting information from approximately 179,000 children.

“The FTC alleged that RockYou knowingly collected approximately 179,000 children’s email addresses and associated passwords during registration – without their parents’ consent – and enabled children to create personal profiles and post personal information on slide shows that could be shared online,” says the FTC.

“The company asked for kids’ date of birth, and so accepted registrations from kids under 13.”

It didn’t, as required, spell out its policy for children’s information, or ask for verifiable parental consent. Adding insult to injury, says the FTC, the children also had their personal information put at risk because of the lack of encryption.

RockYou is now required to tighten up its security, submit to regular audits and pay a $250,000 civil penalty.