| 大多数人在很多的地方使用相同的密码已经不是一个什么秘密了,这样确实很方便,但只要你的密码在一个地方被泄露,整个生活就会发生很大的问题。如果你有使用相同的密码习惯而且你有RockYou的账号,那么你就得改密码了。
rockyou.com是一个社交网络类型的网站,拥有3200万(再精确一点事32603388)的注册用户。这周,安全公司Imperva向RockYou警告说他们的程序有一些SQL注入漏洞。此漏洞可以使入侵者得到获取全部用户资料(包括用户名、密码和Emai)的权限。
Imperva说他们在通知RockYou他们的程序存在漏洞之后,RockYou恢复说打算在本周末来修复此问题,但这好像有点晚了,因为已经有不止一个入侵者已经成功入侵了。部分已经被泄露的数据
其实对于入侵者来说最精彩的部分在于,这些海量的用户资料里面的密码字段是明文(未加密)保存的,当然email也不例外。惊讶吧!
入侵者公布了他们得到数据的样本(暂时密码未完全明文,比rockyou的保密措施做得好!讽刺吗?),并警告说:“别欺骗你的用户,否则我会公布所有的资料”。我要告诉你的是目前RockYou还没有向用户报告过此情况。我们到了他们公司,但还没有回音。
更新:下面是RockYou关于此事件给我们的回复
“On December 4, RockYou’s IT team was alerted that the user database on RockYou.com had been compromised, potentially revealing some personal identification data for approximately 30M registered users on RockYou.com. RockYou immediately brought down the site and kept it down until a security patch was in place. RockYou confirms that no application accounts on Facebook were impacted by this hack and that most of the accounts affected were for earlier applications (including slideshow, glitter text, fun notes) that are no longer formally supported by the company. RockYou has secured the site and is in the process of informing all registered users that the hack took place.”
他们还说打算在接下来的24小时内发email向用户报告这个问题:
Dear RockYou user,
As you know, RockYou takes our users privacy very seriously. We take
a lot of effort to protect user data from security breaches and attacks.
Unfortunately, RockYou has very recently learned that it encountered a security breach. As part of this breach, it is possible that someone may have accessed at least your email address and password for the RockYou system. We felt it was important to notify you of this immediately so that you could take any action you feel necessary to protect your privacy.
If you have any questions, please feel free to contact security@rockyou.com. We are sorry for any problems this has caused you.
The RockYou team
“we felt it was important to notify you immediately”。。。十天之后吗?还有关于明文密码打算怎么解释?失败! 等着看3200万人改密码吧!这会是怎样的一个奇观!
原文: http://www.techcrunch.com/2009/12/14/rockyou-hacked/
译文:http://3seconds.cn/2009/12/15/rockyou-hacked.html | 
