32 Million passwords published

By
Tim Bullock
April 18, 2010Posted in: incidents

The social site ‘RockYou’ suffered a data breached that resulted in the exposure of more than 32 Million user accounts. To further compound the security breach severity, it was found that RockYou were storing all the user account data in their database in plain text. This made it easier for hackers to obtain and expose the information.

December 2009

The hackers gained access to the database by using a well known SQL-injection method. This is something that should be tested during the development phase of a project.

The issue was made worse because RockYou attempted minimise the negative publicity by downplaying the incident. Firstly by covering it up by not notifying their users and then downplaying it in an official statement as being an issue that only affected ‘older’ applications. The hacker responsible for the initial breach published a small portion of the dataset he had retrieved and demonstrated that not only did he have access to the entire RockYou database, but passwords were stored in the clear. The issue then became worse when it was discovered that RockYou stored user credentials for social networks and other partner sites including MySpace and also webmail accounts.

The RockYou account creation process did not encourage or enforce strong passwords. It only enforced a password of a minimum length of five characters. There was no requirement for mixed-case, numbers and the process actually encouraged simple passwords by not allowing any punctuation at all. Passwords were communicated to new users of the service by clear text e-mails.

Interestingly, an analysis of the 32 Million passwords revealed the top 10 to be:

  1. 123456
  2. 12345
  3. 123456789
  4. Password
  5. iloveyou
  6. princess
  7. rockyou
  8. 1234567
  9. 12345678
  10. abc123

This list shows how important it is to choose a password that cannot be obviously guessed.


Resources for CIO and COO Professionals

CIOCOO - Resources for CIO and COO Professionals


Remember to bookmark the following ….


For more information, contact E-mail address











For copyright details, refer to http://ciocoo.com/legal/copyright/
For terms of use, refer to http://ciocoo.com/legal/terms-of-use/

© Copyright Tim Bullock 2010


Tags: , , ,