Suit seeks class action status and accuses RockYou of "reckless indifference to proper security measures" in failing to secure its network and protect customer data.
Elinor MillsFormer Staff Writer
Elinor Mills covers Internet security and privacy. She joined CNET News in 2005 after working as a foreign correspondent for Reuters in Portugal and writing for The Industry Standard, the IDG News Service and the Associated Press.
An Indiana man filed a lawsuit against RockYou this week alleging that the provider of social-networking apps failed to secure its network and protect customer data, enabling a hacker to grab passwords of 32 million users earlier this month.
The suit seeking class action status was filed Monday in U.S. District Court in San Francisco by lawyers for Alan Claridge, of Evansville, Ind., who registered with RockYou in August 2008 to use a photo-sharing application. RockYou is a publisher and developer of online apps and services like "SuperWall" on Facebook and "Slideshow" on MySpace.
Claridge said he received an e-mail from RockYou on December 16 informing him that his sensitive, personally identifiable information, including e-mail address and password, may have been compromised in a security breach, according to the suit.
Security firm Imperva notified RockYou on December 4 that it had learned of a breach of RockYou's network from underground hacker forums. RockYou had been hit with a common type of exploit known as a SQL injection flaw that targets information stored in databases and hackers were regularly discussing the fact that the hole at RockYou was being exploited, the lawsuit said.
After being informed of the breach, RockYou admitted that customer data had been stored in an unencrypted database.
The suit claims RockYou failed to protect sensitive user data including e-mail addresses, passwords, and login credentials for social-networking sites like Facebook and MySpace and was negligent in storing data in plaintext.
"RockYou recklessly and knowingly failed to take even the most basic steps to protect its users' PII (personally identifiable information) by leaving the data entirely unencrypted and available for any person with a basic set of hacking skills to take the PII of at least 32 million customers," the lawsuit alleges.
"Because a majority of Internet users utilize identical passwords across a wide range of Web sites, gaining access to a user's e-mail account name and password has a high likelihood of providing access to a user's personal and/or work e-mail account," the suit said.
RockYou also took at least one day to take action to fix the problem, and failed to notify customers of the breach in a reasonable time frame, not posting notice on its Web site or warning customers for 10 to 12 days after it was notified, the lawsuit alleges.
Wendy Zaas, a spokeswoman for Redwood City, Calif.-based RockYou, provided this statement when asked for comment on the lawsuit: "RockYou is aware of the class action suit brought by Alan Claridge and plans to defend itself vigorously. The company takes its users' privacy seriously."
The lawsuit includes nine counts including negligence, breach of contract, violation of California's Computer Crime Law, and California's Security Breach Information Act, among other allegations. It asks the court to order RockYou to protect customer data and seeks unspecified damages.