It just took a few hours and concentrated effort to inject’s database with SQL to gain access to more then 32 million user IDs and passwords. So what? They were stored in PLAINT TEXT! OK so here’s a really horrible scenario: Suppose even 10% of the had matching Paypal passwords and the hacker only took $5 from every account. How much did he make? That’s simple math: 32,00,000*0.1*5 = $16million. The least we could do is make an example out of RockYou for this gross disaster they might have brought on their poor members. 


The hacker who wouldn’t disclose his name for obvious reasons revealed that out of every 3 popular US websites he hacked, 1 stored it’s user’s password and IDs in plain text. There is still no legislation regulating the maintenance and storage of this confidential user data. Especially when RockYou’s Privacy statement clearly claimed that:

You are responsible for maintaining the secrecy of your unique password and account information at all times.

What? Did any of their member ever knew that they are solely responsible for any hack?

So what can be done? First and foremost, there must be an immediate formulation of regulation binding on every website to maintain their user’s confidential data in encrypted format instead of plain text OR there’s a better option: Use OpenID which is a kind of centralized login system where you don’t have to create a separate login for the website but you can use you OpenID which is supported by major industry players like Facebook, Google etcetera.

The hacker will not be publishing the records but when RockYou tried whitewashing this Epic fail by claiming that only a few records were exposed to the hack, the hacker replied by publising a part of the records. RockYou is doomed. They have released a security notice detailing the steps they’re going to take now to make sure this never happens again.

So much for user data privacy.