A social application site called RockYou suffered an attack that resulted in 32 million usernames and passwords being exposed. And to make a serious problem even worse, the company, which TechCrunch says “has a history of stupidity”, didn’t inform its users until ten days after the fact.

Techcrunch reported on the issue, and RockYou’s statement to the IT blog noted that “On December 4, RockYou’s IT team was alerted that the user database on RockYou.com had been compromised, potentially revealing some personal identification data for approximately 30M registered users on RockYou.com. RockYou immediately brought down the site and kept it down until a security patch was in place. RockYou confirms that no application accounts on Facebook were impacted by this hack and that most of the accounts affected were for earlier applications (including slideshow, glitter text, fun notes) that are no longer formally supported by the company. RockYou has secured the site and is in the process of informing all registered users that the hack took place.”

According to reports, the site had an SQL injection flaw. This type of flaw is quite common, and targets the application’s database layer.

The problem was especially serious because RockYou usernames and passwords are the same as customer email names and passwords, and access to the database could open the door to a flood of spam, not to mention identity theft resulting from breaking into customers’ email accounts.

One hacker did gain access to the full list of unencrypted passwords, which had been stored in plain text, and posted some of it publicly. In true vigilante fashion, the hacker posted part of the file, with the note, “Don’t lie to your customers, or I will publish everything.”

RockYou made two critical mistakes, one in policy and one in technology. The policy mistake was to keep silent on the issue until ten days after the fact. Now, they are dealing with the public relations nightmare of their decision to not act right away in informing their customers. The second mistake was one of technology, and that is storing usernames and passwords in plain text. Storing this in plain text was a disaster waiting to happen, and the company should have known that. It’s not that hard to protect username lists, and simply encrypting the file would have prevented much of the negative fallout the company is now seeing in the press.

A blog entry on Twitter yesterday confirmed that an outside party gained unauthorized access to Twitter. Although the blog entry notes that no account information was altered or removed, there were at least ten individual accounts that were viewed.

A more detailed report on Information Week provides a little more meat to the issue. Apparently, it began when a Twitter product manager’s Yahoo! mail account was hacked, using the same password recovery hack that was used to compromise Sarah Palin’s email account. Shortly after, someone known as “Hacker Croll” posted screenshots of Twitter’s administrative console on the Web, including admin information about Barack Obama’s  and Britney Spears’ accounts. The attacker explains on his post that access to Twitter was gained through the Twitter administrator’s Yahoo! account by resetting the secret question. The mailbox contained a message with the Twitter password, which gave the hacker access to Twitter. 

This is just one more example of why you should never use public email like Yahoo! for official or sensitive business of any sort.