Sensitive login credentials – stored in plain text – were left exposed because of a SQL injection bug in RockYou’s website. RockYou admitted the breach, which applied to user password and email addresses for widgits it developed, and pledged to improve security in order to safeguard against future problems.

From over 32 million passwords, the results were, sadly, not surprising. The top ten were:

1. 123456
2. 12345
3. 123456789
4. Password
5. iloveyou
6. princess
7. rockyou
8. 1234567
9. 12345678
10. abc123

While the top ten shouldn’t surprise you, the fact that over fifty percent of the passwords used regular names, slang, and common dictionary words should. Even worse, the admins stored the information in plain text, something that should never be done. Hashing the passwords is not difficult, yet RockYou failed to do such a basic task. RockYou also didn’t have simple security protocols in places, such as minimum password length, and alphanumeric passwords.

Users should be looking to create more difficult passwords or suffer the consequences of further breaches.

Read the rest of my lengthy article at The Daily Censored.

Given the recent revelations, it’s likely you have some data that is now missing.

Susan Wade, Director of Public Relations for Network Solutions, spoke to The Tech Herald and explained some of the finer points to the DSA issued on Friday. Currently there is an investigation underway, and notices are going out to the 4,343 customers via email and postal notifications.

Wade explained that the malicious code was discovered during routine operations on a subset of servers that house the E-Commerce platform offered to Network Solutions customers.

E-Commerce customers are on a set of servers that are segmented from the Network Solutions infrastructure. The subset of servers where the malicious code was discovered hosted the 4,343 merchant sites that were attacked. Another point of interest is that the malicious code was discovered on only a fraction of the sites hosted for E-Commerce operations, where there are more than 10,000 sites overall.

The code may have captured transaction data from 573,928 cardholders during its run this spring. Network Solutions said that the merchants’ customers were exposed from March 12, 2009 until June 8, 2009. The level of exposure could vary depending on transaction volume, but transactions made after June 8, 2009 were not exposed to attack, as the hijacked sites were cleaned by then.

There is no information on how the code was planted on the sites. While examination of the code shows that it had the ability to ship data off to a third party, and Network Solutions believes that it did just that, the exact code is not available for public review. There is also no public information as to where the data believed to be stolen was sent.

So, three months on and they still have no clue how the breach occurred, if the information has been used for malicious purposes or who is responsible.  Considering the fact that Network Solutions retains a large amount of personal account details for many online businesses, one would think that they would have better security measures in place.  Apparently, they don’t.