Social networking users have been warned to check the small print on the security policy before signing up.
Following the rockyou.com hacking last week, Richard Hollis, managing director of Orthus claimed that there is a possibility that the hack directly affected most users if they use a social networking site.
In a blog posting on the GetSafeOnline website, Hollis said: “The hacker was able to access this information through a SQL injection vulnerability on the RockYou site. This hacking technique is old, widely known and does not require a great deal of expertise to execute.
“The point being that any online business even marginally concerned with security would have closed off this easily exploited security hole before even thinking of launching their site – but apparently not RockYou.”
He was critical of the minimal length of five characters for its account passwords as they have no requirement for mixed case, alpha-numeric characters and in fact enforce password simplicity by not allowing any punctuation at all.
Hollis said that this is where RockYou got it wrong, and where users need to be aware of security policies as if they do not publish one on the site – chances are they do not have one.
“Sending you open text passwords in emails are another indication that their approach to security may be short of your expectations. Read the privacy statement. Do they inform their customers about losses or breaches? Do you want to use them if they do not? The choice is yours,” said Hollis.