Home RockYou Hacker: 30% of Sites Store Plain Text Passwords

RockYou Hacker: 30% of Sites Store Plain Text Passwords

In a chat today lasting over an hour, we got to talk to a person claiming to be the infamous hacker behind RockYou‘s latest data security woes.

While he claimed to have no animosity toward users, he had one clear message for websites: Take better care of your customers’ data. RockYou isn’t the only hacked site storing plain text login information, either.

What Happened

To bring us all up to date, here’s the gist of the story so far: The hacker, who we’ll call Tom (not his real name) for brevity’s sake, tells us that he used an SQL injection to gain direct access to RockYou’s database, where he found login information for more than 32 million user accounts. The data was all in plain text and contained third-party site logins, as well.

Tom sat on this information for a while. Although he’s posted about similar hacks in the past, he also claims to have exposed the same vulnerabilities and gained access to the same kind of data for many major U.S. sites. Tom wouldn’t reveal which sites he’d hacked, but he did say that he has no intention of using or publishing the data he’s unearthed.

But yesterday, incensed by this warning from an Internet security company and RockYou’s claims that only some accounts had been compromised by the security breach, Tom posted about the hack on his blog.

We (along with several of our peers) were tipped off to the situation via Twitter, and TechCrunch has since written twoposts about the data breach.

Why This Is a Bad Thing

One of the more interesting facets of the story is RockYou’s failure to appropriately protect user’s login credentials. The hacker showed us an image containing the last few lines of a 32,603,388-line, seven-column dataset weighing in at 276 MB. All the data we saw was in plain text; any grade schooler could have used this information to log in to users’ accounts.

“If you don’t store passwords for accounts, if somebody hacks you, what can he do? Deface your site. The end,” said Tom.

“That’s nothing against 32 million emails with passwords. Count how many of them have PayPal. If I check every one, and only 10 percent of them have it, and I take only $10, it’s a pretty nice amount, don’t you think?”

The hacker makes an excellent point with this object lesson, and he clearly holds RockYou and its ilk squarely at fault.

Tom, who says he’s employed in a good security-related job, believes there should be laws requiring companies to encrypt user data. He said, “They are now hunting for me, but why? I didn’t do anything wrong. They should now be in jail because they put all of these people at risk. This was just for illustration.”

What We Can All Do

Tom says that one out of every three sites he’s gained access to store user data in plain text databases. “Server owners can use third-party sites for authentications, like Facebook, Google, OpenID or OAuth.” he said. “Why the [redacted] would they want user passwords? I don’t understand that.”

For websites, the hacker recommends using hashes with salt or PCI DSS to protect user data. He said that message-digest algorithm-5 (MD5) is an inadequate solution. As a case in point, check out this post we saw today on Slashdot. “If you’re storing it in MD5, it’s nothing… It’s no problem to use a GPU cracker, or better, a botnet of PS3s. I’ve got three at home.”

As far as users are concerned, Tom said, “Companies are putting people at risk by storing their data that way. [Users] should use their brains and generate a strong password for each site. He noted that Roboform, PassPack and KeePass are all good tools for storing and maintaining passwords.

For the time being, Tom said he plans to leave the RockYou data unpublished and allow his actions to serve as a warning to users and websites to take better care of their data and identities.

About ReadWrite’s Editorial Process

The ReadWrite Editorial policy involves closely monitoring the tech industry for major developments, new product launches, AI breakthroughs, video game releases and other newsworthy events. Editors assign relevant stories to staff writers or freelance contributors with expertise in each particular topic area. Before publication, articles go through a rigorous round of editing for accuracy, clarity, and to ensure adherence to ReadWrite's style guidelines.

Get the biggest tech headlines of the day delivered to your inbox

    By signing up, you agree to our Terms and Privacy Policy. Unsubscribe anytime.

    Tech News

    Explore the latest in tech with our Tech News. We cut through the noise for concise, relevant updates, keeping you informed about the rapidly evolving tech landscape with curated content that separates signal from noise.

    In-Depth Tech Stories

    Explore tech impact in In-Depth Stories. Narrative data journalism offers comprehensive analyses, revealing stories behind data. Understand industry trends for a deeper perspective on tech's intricate relationships with society.

    Expert Reviews

    Empower decisions with Expert Reviews, merging industry expertise and insightful analysis. Delve into tech intricacies, get the best deals, and stay ahead with our trustworthy guide to navigating the ever-changing tech market.