By Jon Hood
RockYou, a developer of widgets and applications for Facebook and MySpace, was hit with a class action alleging that the company's poor security allowed a hacker to gain access to 32 million e-mail addresses and passwords.
The complaint, filed this week in federal court in San Francisco, says that RockYou kept confidential user information in an unencrypted plain text file making it incredibly easy to hack.
The suit alleges that RockYou recklessly and knowingly failed to take even the most basic steps to protect its users' PII (personally identifiable information) by leaving the data entirely unencrypted and available for any person with a basic set of hacking skills to take the PII of at least 32 million customers.
RockYou is mainly known for providing so-called widgets for Facebook, MySpace, and other social networking sites. The widgets allow users to customize and enhance their personal pages. The company was founded in 2006 by two former employees of software developer Iconix.
Alan Claridge, the lawsuit's lead plaintiff, says that RockYou compounded the security breach with a slow and ineffective response. He says he received an e-mail from the company on December 16, warning that his information may have been compromised because of RockYou's failure to create a secure user database. But Claridge alleges that RockYou was aware of the security breach up to 12 days earlier on December 4 but did nothing to warn users.
RockYou's website now sports a red-and-white banner reading Important Security Notice from RockYou. A lengthy statement says that the company is investigating the data breach, reviewing our security protocols, and implementing new practices to prevent this from happening again. Specifically, the statement says that RockYou is encrypting user information, implementing a more secure platform, reviewing security procedures to ensur[e] that they meet industry standards and best practices, and cooperating with Federal authorities to investigate the illegal breach of our database.
In the meantime, RockYou recommends that users change their e-mail passwords to prevent hackers from viewing any confidential information. There is also less obvious danger caused by the breach: since many consumers use the same password for multiple accounts, those accounts may also be susceptible to breach. Thus, consumers should update any account for which they use the same or even a similar password.
The suit, which is being handled by KamberEdelson LLC, alleges breach of contract, breach of the implied covenant of good faith and fair dealing, negligence, and violation of several California consumer protection laws. The suit seeks unspecified damages and a court order that RockYou improve its security measures.