Security Flub Exposes 32 Million Names, Passwords At Social App Site
Written by Fred J. AunWeak security at RockYou.com, a social networking application development site, allowed unauthorized access to more than 32 million user log-in credentials stored in an unencrypted database, according to the site’s chief technology officer. The SQL injection flaw allowed access to those credentials, and because “the user names and passwords are by default the same as the user’s Webmail account—such as Hotmail, Yahoo or Gmail—this is a major lapse in security,” said Amichai Shulman, the chief technology officer at Imperva, a data security vendor that detected the problem and alerted RockYou officials, but not before the data theft had happened.
RockYou publicly acknowledged the breach Wednesday (Dec. 15), warning users to change their log-in credentials for other “online destinations” if they are the same as those used for RockYou.com. In a Venturebeat.com story on the incident, RockYou CTO Jia Shen said the problem involved RockYou’s legacy widget applications, a part of the site now closed, and he admitted the passwords had been retained unencrypted. Gartner Security Analyst Avivah Litan said retailers should view the case as a warning about the potential pitfalls of the single ID movement. “This just proves the theory that if you use an aggregator and have single sign-on to multiple sites, all it takes is a break-in to compromise your access to everything else,” Litan said. “Everybody should take a pause on these single-user schemes.”
The mobile challenge is less about supporting the devices and more about having the skill and tenacity to integrate the ordering app into the multitude of POS networks/software iterations. 
-Dan Stiel