According to reports, RockYou has around 32 million registered users. And this is where the problems start.
According to the good folks at Imperva, it appears that there was a SQL injection flaw on the site. This flaw allowed pretty-much unimpeded access to the back-end database. It would appear that on December 4th someone took a copy of the entire user database. We know this because they publicized pieces of it, with details obscured. The link is on the TechCrunch site, but don't follow it – malware was pushed at my PC when I tried.
Unfortunately, it wasn't until at least December 14th that RockYou acknowledged the intrusion, although they claim that the intrusion was quickly detected and the site taken offline to close the loophole.
In a statement RockYou claimed that they are about to advise all users of the intrusion.
Ten days after the intrusion, they still haven't advised the compromised accounts?
By the way – the reason everyone is up in arms about this? The user database records contained (amongst other information) every user's email address and their RockYou password IN PLAIN TEXT!
So, if you were one of the majority of users who tend to use the same password on multiple sites, you now have a big problem. Worse, the bad guys have a ten day head start on you.
So, what does this mean?
They can access pretty-much everything you own online!
Within your mail box, there is probably plenty of confidential information that would allow criminals to develop a very useful profile of you – possibly even enough for blackmail.
Your address book would also be a very useful addition to spam lists too.
iTWire strongly suggests that any RockYou user immediately changes the password on their email account. Next, they should look through the account for any evidence of password change requests at other sites. Finally, they need to fan out and change the password at every other site they use. A different password at each site, right?
If the email address known to RockYou is used for any financial transactions, users should probably consider putting financial blocks in place – re-issue credit cards, request credit monitoring etc.
The only other thing users should do? They should contact RockYou and express their EXTREME displeasure with the fact that passwords were stored in plain text.