RockYou Agrees to $250K FTC Fine Over Loss Of 32m Passwords

Type threatpost
Reporter Paul Roberts
Modified 2013-04-17T16:32:32


The Federal Trade Commission announced on Tuesday that it had reached a settlement with RockYou over violations of the Children’s Online Privacy Protection Act (COPPA) after the Web site allowed hackers to gain access to the personal information of its 32 million members.

In a statement published on the Web site, the agency said that RockYou violated COPPA by collecting information on roughly 179,000 children under the age of 13 without the consent of their parents. The security failure that resulted in the massive data breach “put users including children’s personal information at risk.”

Related Posts

Privacy Groups File FTC Complaint over WhatsApp Data Sharing with Facebook

August 30, 2016 , 12:23 pm

GTAGaming Hack Blamed on Old vBulletin Software

August 24, 2016 , 4:11 pm

OIG Report Finds Vulnerabilities in Medicaid Services Agency

August 18, 2016 , 12:55 pm

The COPPA Rule requires that website operators notify parents and obtain their consent before they collect, use, or disclose personal information from children under 13. The Rule also requires that website operators post a privacy policy that is clear, understandable, and complete.

RockYou develops social games and advertising products for social media Web sites. The company’s titles include Gourmet Ranch and Zoo World. The exact source of the data breach in December, 2009, hasn’t been revealed. However, a SQL injection flaw that was subsequently discovered on the Web site could be the origin of the breach.

The more than 32 million passwords and user names exposed in the breach is one of the largest hauls of stolen credentials ever. Subsequent analysis of the leaked data by the security firm Imperva (PDF) revealed that many users rely on easy-to-guess and insecure passwords.

Under a proposed settlement with the FTC, RockYou will have to delete information collected from children under age 13 and requires the company to implement a data security program and submit to security audits by independent third-party auditors every other year for 20 years and pay a $250,000 civil penalty for its alleged COPPA violations.

The FTC has stepped up its efforts to prosecute Web sites that violate consumer privacy laws. In March, 2011, the Agency forced search giant Google to implement a comprehensive privacy program and submit to regular, independent privacy audits over complaints that its Buzz social network violated the FTC Act when it used information from the accounts of Gmail users to populate Buzz without their consent. Then, in November, the FTC reached a similar settlement with Facebook over complaints that privacy changes that the site made in 2009 were “unfair and deceptive.”

The Agency issued a report this week on consumer privacy and online tracking that recommends more transparency in the way that online data brokers operate and make themselves known to consumers.