RockYou explains how a hacker stole 32 million passwords — and what it's doing about it

Social app maker RockYou confirmed today that it is notifying millions of its users that their usernames and passwords may have been compromised by a hacker who broke into the company’s older applications known as widgets.

In an exclusive interview, RockYou chief technology officer Jia Shen said the company was notified of the SQL injection attack against last week by officials at security firm Imperva. Shen said RockYou shut down the site for its legacy applications — such as slide show widgets — and secured them.

jia shenThat process took about a day. Then the company began poring through its databases to find any evidence of attack. Shen said the company doesn’t know exactly what the hacker did in the attack. The company is in contact with law enforcement but isn’t saying more.

“But we are assuming the worst,” Shen said. “We checked the activity and it looked like it had been going on a couple of days before we were warned.”

In fact, a hacker posted some of the passwords and usernames that were allegedly stolen. Shen confirmed that those were legitimate passwords from RockYou’s databases, but he does not know exactly how many were stolen. Shen emphasized that RockYou’s current Facebook applications and its ad network were not attacked and are not vulnerable to the same kind of attack. The widgets were RockYou’s main business before it switched to becoming a Facebook app developer.

“We worked on our widgets for a long time and the code base predates the Facebook platform,” Shen said. “We are taking a lot of flak. But I want to make it clear that nothing outside of the RockYou widgets were impacted.”

Nevertheless, Shen said the impact could be serious. For instance, if users keep the same usernames and passwords for every site they use, including their online bank accounts, they could be vulnerable to identity theft.

One user told us some time ago that RockYou was vulnerable to attack, as were other sites. Shen said he did not get warnings about the risk of an SQL injection attack against the widgets before.

“We started off as a small company and today we have a different engineering structure,” he said. “But shame on us. If you make a mistake, then people can get in and it is a big hole.”

Shen acknowledged that the passwords and usernames were stored in a database that was not encrypted, another no-no when it comes to security. That is why the hacker was able to get access to the passwords. The company has begun notifying users but has not finished yet because the process takes a long time. Shen acknowledged the company did not say anything publicly for 10 days, but he said they were busy notifying users and partners during that time.

The company is telling users to change their passwords on the RockYou site and on any other sites where they’ve used the same username or password.

“Locking down everything is complete,” Shen said. “Our security approach in the future will have to be deeper.”

VentureBeat is studying mobile marketing automation. Chime in, and we’ll share the data.