RockYou, a social game developer, will be laying off a number of employees, we’ve confirmed with the company. The total number of employees being cut, explains CEO Lisa Marino, is 100, but there are two parts to the cuts. First, around forty employees from Playdemic, a social game development studio that RockYou acquired in January, will be rejoining Playdemic as a spinoff as the studio has been sold back to the original founders. The social game Gourmet Ranch will become part of Playdemic.

Marino says that around 56 employees will be let go from RockYou’s headquarters in Redwood city, including some staff from the game organization, media, and general and administrative services. After the Playdemic spinoff and the layoffs, RockYou will be left with half of its staff, with 90-ish employees, says Marino.

She’s careful to explain that this year’s round of layoffs is different from last year’s cutbacks, which took place as the company shifted its focus to social games. “Last year was about finding a business model. This year, it’s about making the company healthy and profitable,” she says. With the layoffs, RockYou is now profitable.

RockYou’s four main business channels are the Zoo World game franchise (which Marino says has doubled revenue per user), the Hooked game franchise, the Galactic Allies title and the media business. Marino says that RockYou will not be launching the upcoming game, Cloudforest.

It’s been a year of highs and lows for the social game developer. In October of 2010, the company was forced to layoff a ‘substantial’ number of its staff. Last November, RockYou’s then CEO Lance Tokuda left the company, and COO Lisa Marino stepped in as CEO.

RockYou has made a number of acquisitions in the social gaming space, including 3 Blokes and of course, Playdemic. In September, RockYou debuted one of its newest games, Gallactic Allies.

“We went too far down the creative path and lost our way in terms of being a profitable organization,” Marino says. “While today is a tough day, I am incredibly bullish on the business going forward.” She added that entire executive team is staying on at RockYou.

The company has raised $129 million to date.

Founded in 2006, 3 Blokes has developed four social games for Facebook, including their most recent title, Galactic Trader, a space trading and combat game with 200,000 monthly active users. The acquisition also bring RockYou a number of talented and seasoned casual game developers. The studio is led by George Fidler, a former COO of EA’s Asia Pacific Studio. John Passfield, formerly CEO of 3 Blokes and now VP of Creative for the studio, was previously Creative Director at Pandemic’s Australia studio and co-founded Krome Studios.

Based in Brisbane, 3 Blokes will operate independently as a RockYou studio and develop strategy and combat-driven Facebook games. It’s interesting see RockYou pursuing a strategy of creating more combat social games on Facebook considering Zynga’s recent launch of its newest combat game, Empires & Allies.

And its appears that RockYou, which just brought on a new CEO, has also adopted Zynga’s strategy of acquiring small game studios to build talent and games. Earlier this year, the company bought social game studio Playdemic.

I think we can expect more acquisitions coming from the gaming company in the future. RockYou said in the release that it “is expanding its studio system to support top independent developers around the world as it continues to grow their social game portfolio.”

But if anyone is going to pull a turn-around off at RockYou, it’s Lisa Marino. Marino joined RockYou in better days, when her husband Ro Choy was the company’s head of business development. Choy left to start his own thing, but Marino stayed on, continually taking on more and more sales and executive responsibility as the company began to crumble.

She took over as chief operating officer nine months ago, managing layoffs (including possibly RockYou’s founder Lance Tokuda) while she successfully recruited new gaming talent starting with senior VP of games Jonathan Knight. Likewise, she spent nine months cutting expenses dramatically, while managing to grow the top line more than 40% in the fourth quarter. Typically, those two don’t go hand-in-hand.

Presented with a much leaner, faster-growing social gaming company with plenty of cash in the bank, the board was pleased enough with Marino’s job to give her a promotion to CEO. But will these early victories be enough to turn the company around and differentiate itself from larger, sexier players like Zynga?

Marino tells us her hopes and fears for RockYou in the clip below.

RockYou earlier this morning announced that it has acquired social game developer Playdemic.

Based in Manchester, England, RockYou says Playdemic will operate independently as a subsidiary studio and develop Facebook games for a mainstream audience. Paul Gouge, Playdemic CEO and founder, will lead the studio as VP and General Manager. Terms of the acquisition were not disclosed.

Playdemic’s management team is said to have held senior positions at publishers like Ubisoft, THQ and Eidos. Ian Livingstone, co-founder of Games Workshop and life president of Eidos, was a chief investor in Playdemic. The startup’s been around for roughly a year.

RockYou says it will try and grow the user base for Gourmet Ranch, Playdemic’s first title that is currently playable on Facebook with half a million monthly active users. In the game, players can grow organic crops, raise animals and prepare and serve meals to their friends.

I spoke with RockYou COO Lisa Marino, who says that Tokuda told the company he would be stepping down last month, around the time that it pivoted to focus primarily on social gaming. A significant but undisclosed percentage of RockYou’s workforce was laid off as part of the transition, and the company hired former EA exec Jonathan Knight to serve as SVP of RockYou Games.

Marino says that Tokuda’s role is now being filled by an ‘Office of the CEO’ team that includes CFO Steve Van Horne, SVP President of Technology and Engineering Shamik Sharma, and herself, and that the company is currently in the midst of a search for a permanent replacement. Despite RockYou’s recent problems, Marino says that things have been “going really well” at the company since its pivot last month, and that it “is going to be very relevant in social games in around 70 days”.

However, Tokuda’s role change may not have been quite as smooth as RockYou is claiming. I called him to see if he had a comment of his own, and it sounded like the situation is still murky — he directed me to RockYou’s PR team, and said that he is very much still with the company (I’ve reached out to RockYou PR to firm up what his current position is). Granted, I did call him without warning so he may well have simply been caught off guard. But it does seem a little odd that he is still listed on RockYou’s management page as CEO, and that his role change was not announced as part of the press cycle around RockYou’s hiring of Knight.

Update: Marino had clarified that Tokuda is indeed still with RockYou, and that he is working on ‘innovation and strategic initiatives’, such as exploring new areas for RockYou to expand into. That might include platforms (for example, mobile) or game genres.

A company spokesperson declined to comment on how many people were laid off (the best I could get out of them was that it was less than half the company) — we’re working to get a more specific number. RockYou has been very well funded, with over $125 million raised to date. It recently closed a $10 million round in June to boost its presence in Asia.

RockYou will continue to work on its advertising initiatives and will be directing most of its resources at developing social games. It won’t be shutting down its established non-gaming properties, which include Pieces of Flair and SuperWall, but it won’t be supporting them to the same extent that it has been up until this point.

It’s been a bad year for RockYou. Less than twelve months ago, the company had all of its 32 million accounts hacked.

RockYou arch-rival Slide was acquired by Google in August for $228 million.

RockYou, one of the largest developers of social games and applications, this morning announced that it has inked a long-term deal with Facebook.

Under the terms of the agreement, RockYou will be making Facebook Credits the exclusive virtual currency in its games and apps for the next five years.

As is standard for developers on Facebook, RockYou will receive 70 percent of the revenue from Facebook Credits, while Facebook will keep the remaining 30 percent.

This marks another coup for Facebook, which has been aggressively trying to push third-party developers and publishers to use its virtual currency in their platform applications as of late.

As Inside Network’s Eric Eldon pointed out recently, Facebook had so far convinced only CrowdStar and LOLapps to use Facebook Credits exclusively as the direct payment method, with rivals like Zynga participating but continuing to use alternatives.

Zynga and Facebook most recently sparred over Facebook’s Credits initiative, which was introduced last April. Zynga was of course trying to negotiate to lower Facebook’s cut and in these earlier negotiations, things got pretty heated.

Going back to today’s announcement, RockYou and Facebook separately announced that they teamed up earlier this year for the former’s advertiser-sponsored “Deal of the Day” program, which rewards people with Facebook Credits when they interact with in-game advertising. More than 1 million people completed the Deal of the Day with Facebook Credits in the first four days after it launched in April, the companies said in a joint statement.

To date, RockYou claims it has issued over 5 million Facebook Credits in its “Zoo World” game alone, using both direct pay and advertiser-sponsored solutions.

RockYou develops and acquires social networking applications, but a big part of their business is serving advertising to their own as well as third party apps. RockYou Asia is a social and mobile application developer providing entertainment tools and social applications to users in Asian Countries. Games include RockYou Battle Monsters, Umajin RockYou, Usaru Biyori, Crime World, Hug Me, and Speed Racing

The startup, which was one of the pilot partners for Facebook’s move into the offers space, has been working with a number of game developers throughout Asia to monetize, license, and publish games globally. RockYou sees alot of potential in the Asia social gaming market and wants to increase its presence in the area. There are 280 million monthly users of apps that RockYou owns directly or has advertising relationships with, says the company. Last year, RockYou suffered a data breach that resulted in the exposure of over 32 Million user accounts. The company was eventually hit with a class action lawsuit for poor security measures.

We recently wrote about 8Coupons and Yipit, which both aggregate Groupon-like deals. Today, Peanut Labs is launching a different twists to the crowdsourced local deal; the startup is allowing users to earn virtual currencies by buying local goods and services at huge discounts, called Cherry Deals.

So when playing a game on Facebook, a user will see the option of earning points for the game is they buy a Groupon-like deal. Cherry Deals uses your IP address to figure out where you are, and then serves up both national and local deals. Once you click on a deal, you can pay with your credit card within Facebook and you will receive the virtual currency in your gaming account. Cherry Deals will also serve as a standalone Facebook app. For now all the deals are U.S. based but Cherry Deals plans to expand to the U.K. and Canada by the end of this year.

The interface looks and feels just like Groupon, except that it is placed within Facebook. Ali Moiz, co-founder of Peanut Labs, says that they “felt no need to reinvent the wheel” in terms of design and the model. And Peanut Labs has already struck a few major deals for games to include the offers. Cherry Deals will be included in Facebook games produced by RockYou and TheBroth.

Cherry Deals is a solid idea because of a few reasons. First, the Groupon-model allows for higher margins than simply referring customers to retailers. Second, game publishers and developers already have a base of users that will be viewing the deals, so Peanut Labs doesn’t have to worry about recruiting traffc to its deals. That being said, we’ve seen the popularity of the collective buying deals on the web so it should be interesting to see how Cherry Deals performs with consumers on Facebook.

Disclosure: My husband, Suneel Gupta, is an employee of Groupon.

Sigh.

Only 0.2% of users had what would be considered a strong password of eight or more characters that contains a mixture of special characters, numbers and both lower and upper case letters, says the study.

The really depressing thing is that users tend to use the same passwords on all or most of their work and personal accounts. This is what caused the 2009 Twitter document hack. Once the hacker broke in to a single employee’s gmail account, he was running free and eventually got access to a lot of sensitive corporate information.

So if you want your password to be the stunningly simple “123456″ on RockYou and other social sites, that’s fine. Just don’t use that same password for gmail, your bank and your work accounts.

Of course, it doesn’t really matter how awesome your password was with RockYou, since they stored it all in clear text and lost control of the data.

Editor’s note: The following guest post was written by Rohit Khare, the co-founder of Angstro. Building his latest project, social address book Knx.to, gives him a deep familiarity with the privacy policies of all the major social networks.

I’d be wishing everyone a happier New Year if it were easier to mail out greeting cards to friends on Facebook and colleagues on LinkedIn. I’d like to use knx.to, our free, real-time social address book, but their ‘privacy’ policies prevent us from downloading contact information, even for my own friends.

At least those Terms of Service (ToS) that force us to copy addresses and phone numbers one-by-one also prevent scoundrels from stealing our identity; reselling our friends to marketers; and linking our life online to the real world. Right?

Wrong. When RockYou can stash 32 million passwords in the clear; when RapLeaf can index 600 million email accounts; and when Intelius can go public by buying 100 million profile pages; then our social networks have traded away our privacy for mere “privacy theater.”

With apologies to Bruce Schneier’s brilliant coinage, “security theater” (e.g. the magical thinking behind forcing passengers to sit down and shut up for the last hour of international flights), social networks have been dogged by one disaster after another in 2009 because they pursue policies that provide the “feeling of improved privacy while doing little or nothing to actually improve privacy.”

As long as the same information that social networks piously prohibit their own customers from using is being bought and sold on the open market by giant marketing companies, social networks are only pretending protect your privacy.

Industrial-Scale Identity Theft

Last week’s headlines brought news that RockYou had accumulated 32,603,388 identities over the past few years — and negligently stored them in plaintext in an incompetently protected database.

RockYou’s official bluster about “illegal intrusion” should fool no one: blaming Imperva, the firm who exposed the flaw, or accusing the hacker(s) of being the identity thieves is misdirection: it was actually RockYou who stole those credentials, and RockYou should be held to account.

I realize that I’m using the incendiary terms “identity theft” and “stole,” even though I would agree that users voluntarily consented to type their passwords into RockYou’s forms. I assume that both users and RockYou’s developers actually only intended to share some particular bits of information: a contact list, a user photo, a friend’s gender; but the bottom line is that instead of sharing that specific data, RockYou retained enough secrets to impersonate those users at will.

• Don’t blame the victims. Bemoaning the absence of open standards for users to share their own data; or complaining about the weaknesses of users’ password choices is merely changing the subject.
• Don’t blame “security” technology. More encryption, better encryption, or stronger firewalls would not help, since the default RockYou username in this case was a user’s primary email address. For anyone who chose to use a popular Webmail service, that granted access to every other online service they’ve ever used — because of those ubiquitous “Forgot your password?” buttons to email it back to you (just ask Twitter how much fun that is).
• Don’t blame RockYou’s partners, who hosted their widgets. They just wanted to give their users some fancy new slideshows and scoreboards and other features to put on their pages; that shouldn’t have required an all-out war for viral growth that demanded users to log in and advertise their new widgets to all of their friends.

The fault, dear Reader, is not in our stars; it lies with sites that pretend to waive all care and duty by idly warning their users not to share their account passwords with anyone else.

In the absence of vigorous enforcement of those ToS agreements, any RockYou developer who passed up the opportunity to, say, phish MySpace passwords was putting their own employer at a disadvantage to any other startup that was willing to race them to the bottom.

APIs: Automating Privacy Intrusions?

RockYou minimized the scope of this breach by maintaining that it only affected their “legacy platform” for widgets rather than its larger “partner applications platforms” that use “industry standard security protocols.” After all, the advent of social networks’ partner APIs was supposed to make impersonation and scraping obsolete.

Those APIs came with their own new ToS agreements that added new, overlapping, and sometimes-contradictory restrictions as they worked through all of the implications of letting third parties in on the fun. The ACLU released a fun quiz that makes quite clear how much information is at stake, from your hometown to your friends’ sexual orientation.

For example, if you upload a photo of me that I find embarrassing, I could prevent you from tagging me in it, but I can’t forbid you from keeping your own photo online (or keeping it private, bugs aside). I can’t even forbid another friend of ours from caching a copy in his or her browser.

However, the Facebook API ToS can (and does) prevent a third-party application from caching a link to the photo for more than a day (a week on Orkut). Unfortunately, direct links to the photo server didn’t double-check the privacy policy, so a third-party app would be at risk of leaking images users thought were private, unless the developer remembered to make a separate API call every time to re-verify every photo on a page.

He (or She) Who Must Not Be Named

In an ideal world, a third party developer shouldn’t have to store any personally-identifiable information (PII). In many jurisdictions, PII is akin to toxic waste, because of the regulatory burdens and civil, even criminal, liability for acquiring and disposing of it.

Here again, Facebook is the pacesetter: it’s possible to display “She liked 7 photos uploaded by Mr. Smith two weeks ago” using little more than a numeric user id. The developer writes a sentence in Facebook Markup Language (FBML), and Facebook’s servers will dynamically substitute the name, gender, item count, and ensure grammatical agreement of pronouns, singular/plural choices, and time intervals.

OpenSocial gadgets have to copy PII into the browser to format a sentence like that. LinkedIn’s partners even have to copy PII to their own servers, since their Open API is currently incompatible with AJAX authentication.

Even though copying PII is the root of all privacy risks, there are three reasons it can be necessary: latency, history, and agility. Without caches, slow API calls can make an app’s performance suffer. Without archives, analyzing only the most recent events can mislead an app’s trend detection or recommendation services. Without “offline” access, waiting for a user to log in again delays an app’s reaction to events in real-time.

There aren’t many technical countermeasures once data has been copied. LinkedIn spent more than a year tinkering with their public API, but the only substantial difference is that it now encrypts every member id with the identity of the developer and application to trace the source of a breach. I applaud them as an industry pioneer — though they’re so dependent on search-engine optimization that they still include the public numeric ids in the profile page URLs anyway.

Exporting PII with legal strings attached is the best policy we can hope for. While Amazon’s ToS requires its associates to display accurate, up-to-date prices, Twitter has only recently realized the implications of searching deleted tweets and doesn’t yet oblige its API partners to update their copies when tweets are deleted or protected.

Buying Back Your Own Data? Priceless.

If PII is so hard to protect, then the only way for social networks to protect their users’ privacy must be to prohibit partners from accessing contact information in the first place. I might not be able to export my holiday card mailing list from my favorite social network— a roach motel for our data — but giant marketing corporations can buy and sell our private information with impunity.

I could go to Rapleaf right now to buy an analysis of any list of email addresses to learn its makeup by gender, income, residence, and all manner of other demographic data. Who’s to say how short that list could be—it’s a slippery slope from aggregate info to personal info. Or I could shop at one of Intelius’ many fronts and affiliates who are selling PII explicitly (TRUSTe-certified!). Or I could barter some of the stray business cards on my desk on Jigsaw to fill in the rest of the puzzle. All of these businesses depend on PII data harvested from social networks.

How is that possible? None of the social networks that we’ve integrated with has an API for reading email addresses — but all of them have no problem asking you to “Invite your friends!”  After all, most social networks remain hypocritical enough to phish passwords to other social networks themselves as soon as they ask you to “Invite your friends” for their own viral growth!

Putting aside the hypocrisy of phishing passwords to scrape those friends’ email addresses in the first place, the subtler flaw is that social networks are more than happy to search their member database for those addresses to share a list of suggested friends. That’s how a Rapleaf could take a mailing list, pretend that those are all friends of theirs, and slowly accumulate a “reverse phonebook” that maps emails to social network profiles.

Or you could just crawl their websites. Social networks depend on search engines for traffic, so they almost universally have public pages for every member with well-known URLs and directory listings by name for crawlers to index. A mini-boomlet in funding “people search“ startups underwrote this massive exercise, but they sold their archives to less-than-savory marketers.

Now, merely indexing public web pages can’t be evil—but reconciling online identities and 3rd-party advertising cookies with real-world credit reports, government records, and other databases can be. Adding in all that information doesn’t increase Mr. Smith’s anonymity; Jeff Jonas has made a small fortune proving that semantic reconciliation dramatically collapses uncertainty. Just think about combining Spock’s 100M profiles with Intelius’ 20B other data points; or Wink’s 200M profiles with Reunion MyLife’s 34M members and 700M records…

Whose Data Is It, Anyway?

The philosophical question at hand is what rights do I have in my friends’ information. When I accept a business card from someone I’ve just met, I don’t believe I have the right to re-sell it on Jigsaw in good conscience (they’d disagree 18M times). If it’s a colleague’s card, on the other hand, I might take the initiative to forward a new lead, or even buy a gift subscription to a magazine. Does that constitute a violation of their privacy, or spam?

Social networks haven’t let their users make their own decisions on this issue. Through selective enforcement of their policies, some startups get locked out while big partners get exemptions. Power.com ended up in (and out of) court. Plaxo found out the hard way that they couldn’t assist their paying customers to OCR Facebook email addresses; or to synchronize with LinkedIn. It says a lot about LinkedIn’s draconian ToS that even with paying customers demanding it, Comcast hasn’t signed up for their API. Even if users manually download their own LinkedIn address books, it won’t even include links back to folks’ public profile pages.

Don’t Accept Incompetence

I also claim that social networks are engaging in Privacy Theater because there’s no shortage of examples of organizations on the Web that process vast quantities of PII while providing real privacy protection. Do you think that the “bad guys” haven’t gone after Webmail services to phish passwords and harvest contact information? Aren’t e-commerce sites sharing product information and reviews out to legions of affiliates without leaking your purchase history? How long do you think RockYou would have gotten away with it if they were asking for your online banking username instead of your email address?

Social network sites have not (yet) demonstrated the high degree of proactive surveillance and enforcement characteristic of other organizations that deal with PII on the Internet. Users see worms on MySpace and viruses on Facebook, but not on Hotmail — because they defend against cross-site-scripting attacks. Users find malware distributed on Slide, but not on Wikipedia — because they filter content aggressively. Users are blocked by DDoS attacks and DNS attacks on Twitter — but Amazon stays up because they can react in real-time (mostly). How much more quickly do Cease & Desist letters for putting up a fake PayPal logo go out than for impersonating a Facebook Page?

From personal conversations, I’m beginning to wonder if the recent rise of Hadoop is part of the problem, surprisingly. Trying to detect patterns of abusive crawling and suspicious bursts of activity from partner apps by analyzing yesterday’s log files alerts you too late to react. The culture of many social networking websites seems to emphasize page load times (especially after the great Friendster meltdown), which isn’t quite the same as the enterprise IT, networking, and transactional database backgrounds of other leading Web architects. And unlike the formal (and informal) networks of security officials at online financial institutions to track distributed threats, I fear we have little evidence of coordinated responses to privacy threats that correlate identities across social networks.

I have first-hand experience that it takes more time (and more money) to ship applications that comply with social networks’ privacy policies. If we weren’t living with Privacy Theater, that might not have been a wasted investment. Inevitably, Gresham’s Law kicked in, and the good guys are being driven out by the bad guys (spammy apps, scammy apps, sneaky apps, conniving apps).

Privacy Theater: The Show Must Go On…

Naturally, I prefer to think of myself as one of the ‘good guys.’ I prefer to believe that privacy protection is a competitive advantage that users (citizens!) really value. Until this outrageous RockYou breach, I didn’t fully realize how irrelevant that is.

I’d argue that the hapless state of ToS enforcement by the major social network platforms only provides the feeling of improved privacy while doing little or nothing to actually improve privacy: that’s privacy theater.

Unfortunately, that analogy is still unfair: TSA may screen children at the airport, but at least their security theater doesn’t obscure the fact we haven’t had a catastrophic security failure in the US air transportation system (yet). Our major social networks’ privacy theater is distracting us from ongoing, large-scale identity theft and misuse of private and personally-identifiable information.

If the industry expects self-regulation to forestall government regulation, well, here’s what I think it would take: An immediate ban on all of RockYou’s applications by all of their partners, pending a public audit of all of their apps. That’s taking a page from the audit provisions of LinkedIn’s ToS and adding sunlight by publishing the results.

Sounds harsh? I thought the market was supposed to provide swifter, surer justice than some pesky regulator with its clunky old notions of due process and presumptions of innocence. API agreements are a private matter between ruthless corporations. Heck, if they really wanted to put the rest of the ecosystem on notice, they ought to audit every application funded by Sequoia, Partech, DCM, and Softbank, all lead investors in RockYou.

It’s not like lawsuits are being filed, as Marissa Mayer announced by going after work-from-home scam artists in an interview with Mike Arrington at LeWeb. It’s not like this is Scamville 2.0, since this isn’t stealing users’ cash, only their dignity. It’s not like there’s a legal spotlight on the issue, since there’s only $9M set aside for a hazy new privacy foundation in the latest Facebook class-action settlement. It’s not like it’s a political issue in the headlines, since a Facebook Chief Privacy Officer is running for Attorney General, the top law-enforcement office in California. It’s not like it’s as complicated as “don’t be evil,” since I can give you one simple tip to eliminate privacy theater: enforce your ToS and obey others’ ToS — or else stop setting unrealistic expectations and just let users have their data back!

(Photo credit: Flickr/FaceMePLS).

The first issue is that RockYou attempted to downplay the entire incident, first by covering it up by not notifying users and then downplaying it in an official statement as being an issue that only affected ‘older’ applications. The hacker responsible for the initial breach published a small portion of the dataset he had retrieved and was able to show that not only did he have access to their entire database, but also passwords were stored in the clear. This matter now appears worse than originally suspected as the dataset also contains a table where RockYou have stored user credentials for social networks and other partner sites.

The database consists of a table containing partner data, and another table that has stored the credentials for those partner sites that users have entered. This includes social networks such as MySpace but also webmail accounts.

Data UserAccount [32603388]
================
1|jennaplanerunner@hotmail.com|mek*****|myspace|0|bebo.com
2|phdlance@gmail.com|mek*****|myspace|1|
3|jennaplanerunner@gmail.com|mek*****|myspace|0|
5|teamsmackage@gmail.com|pro*****|myspace|1|
6|ayul@email.com|kha*****|myspace|1|tagged.com
7|guera_n_negro@yahoo.com|emi*****|myspace|0|
8|beyootifulgirl@aol.com|hol*****|myspace|1|
9|keh2oo8@yahoo.com|cai*****|myspace|1|
10|mawabiru@yahoo.com|pur*****|myspace|1|
11|jodygold@gmail.com|att*****|myspace|1|
12|aryan_dedboy@yahoo.com|iri*****|myspace|0|
13|moe_joe_25@yahoo.com|725*****|myspace|1|
14|xxxnothingbutme@aol.com|1th*****|myspace|0|
15|meandcj069@yahoo.com|too*****|myspace|0|
16|stacey_chim@hotmail.com|cxn*****|myspace|1|
17|barne1en@cmich.edu|ilo*****|myspace|1|
18|reo154@hotmail.com|ecu*****|myspace|1|
19|natapappaslie@yahoo.com|tor*****|myspace|0|
20|ypiogirl@aol.com|tob*****|myspace|1|
21|brittanyleigh864@hotmail.com|bet*****|myspace|1|myspace.com
22|topenga68@aol.com|che*****|myspace|0|
23|marie603412@yahoo.com|cat*****|myspace|0|
24|mellowchick41@aol.com|chu*****|myspace|0|
25|baiko0o@aol.com|may*****|myspace|0|
26|indahamzah84@hotpop.com|lov*****|myspace|0|

The initial exploit took advantage of a trivial SQL injection vulnerability, a technique that has been well documented for over a decade. The method of vulnerability is extremely basic in execution, yet catastrophic in impact – which RockYou, and the sites users, are now learning the hard way. It is more of a surprise that this had not happen sooner – as the RockYou platform is a swiss cheese of security vulnerabilities and poor practices.

Where RockYou Went Wrong

Poor password policies

RockYou account creation only enforced password of a minimal length of 5 characters, there was no requirement for mixed-case, numbers or punctuation. The platform actually encouraged simple passwords by not allowing any punctuation at all.

Passwords in the clear

RockYou are still storing passwords in the clear, and transporting user passwords in the clear via email. Despite the attack taking place over 10 days ago now and RockYou knowing about the attack, a user signing up for a RockYou account today will still have their password stored as plain text and emailed to them in the clear.

The password anti-pattern

RockYou prompted users to enter their third-party site credentials directly into the RockYou site when sharing data or an application. The Facebook integration requires proper Facebook authentication, and MySpace integration today applies similar techniques, but for most of the other sites the same old crazy password request form is still present. Telling your users that you will not store their password is not a solution.

Terrible Response

RockYou knew about the breach days ago, and it took a taunt from the hacker for the issue to become well-known and for RockYou to issue a response (although their users are still not aware of the issue, unless they are reading the news online).

The sites privacy policy and the related ‘security’ section state:

Our Commitment To Data Security:
RockYou! uses commercially reasonable physical, managerial, and technical safeguards to preserve the integrity and security of your personal information. We cannot, however, ensure or warrant the security of any information you transmit to RockYou! and you do so at your own risk. Once we receive your transmission of information, RockYou! makes commercially reasonable efforts to ensure the security of our systems. However, please note that this is not a guarantee that such information may not be accessed, disclosed, altered, or destroyed by breach of any of our physical, technical, or managerial safeguards.

If RockYou! learns of a security systems breach, then we may attempt to notify you electronically so that you can take appropriate protective steps. RockYou! may post a notice on the RockYou! Sites if a security breach occurs. Depending on where you live, you may have a legal right to receive notice of a security breach in writing. To receive a free written notice of a security breach (or to withdraw your consent from receiving electronic notice) you should notify us using this contact form.

Next time you sign up for a web service, take a moment to see where they stand on informing their users on a data breach, and find out just how much they respect the privacy of their users.

RockYou have been complacent with what is a very serious matter. They have not taken steps to rectify the problems that caused the breach and have not addressed their users in a suitable or adequate manner. An appropriate response would have been to take the site down for a period of a few hours and enforce that users enter new passwords, which would be stored in a hashed or encrypted form. The sad thing is that companies are able to get away with being so complacent, because most users will not find out about this, most users will never be affected by it and there is zero accountability for a users private data from service providers.

If you know of any company with similar policies, such as emailing passwords in the clear – call them out in the comments or email us on tips at techcrunch.com. We will make sure that we followup with each of them, and call them out if necessary.

Over the weekend, the security firm Imperva issued a warning to RockYou that there was a serious SQL Injection flaw in their database. Such a flaw could grant hackers access to the the service’s entire list of user names and passwords in the database, they warned. Imperva said that after it notified RockYou about the flaw, it was apparently fixed over the weekend. But that’s not before at least one hacker gained access to what they claim is all of the 32 million accounts. 32,603,388 to be exact. The best part? The database included a full list of unprotected plain text passwords. And email addresses. Wow.

The hacker has posted a sample of what they found. They have blanked out the passwords for now, but warns, “Don’t lie to your customers, or i will publish everything.” As far as we can tell, RockYou hasn’t issued a warning about this to its users yet. We’ve reached out to the company, but have yet to hear back.

RockYou has a history of stupidity. See here, here, and here. This may take the cake.

Update: Here’s the statement we were given by RockYou on the situation:

“On December 4, RockYou’s IT team was alerted that the user database on RockYou.com had been compromised, potentially revealing some personal identification data for approximately 30M registered users on RockYou.com. RockYou immediately brought down the site and kept it down until a security patch was in place. RockYou confirms that no application accounts on Facebook were impacted by this hack and that most of the accounts affected were for earlier applications (including slideshow, glitter text, fun notes) that are no longer formally supported by the company. RockYou has secured the site and is in the process of informing all registered users that the hack took place.”

They also say that they plan to issue the following email to users in the next 24 hours:

Dear RockYou user,

As you know, RockYou takes our users privacy very seriously.  We take

a lot of effort to protect user data from security breaches and attacks.

Unfortunately, RockYou has very recently learned that it encountered a security breach.  As part of this breach, it is possible that someone may have accessed at least your email address and password for the RockYou system.  We felt it was important to notify you of this immediately so that you could take any action you feel necessary to protect your privacy.

If you have any questions, please feel free to contact security@rockyou.com.  We are sorry for any problems this has caused you.

The RockYou team

Hmm “we felt it was important to notify you immediately” … 10 days later? And what’s the excuse for the plain-text passwords? FAIL.

Update: The news only gets worse as it is discovered that RockYou were storing third-party passwords: RockYou Hack: From Bad to Worse.

[thanks ES]

[photo: flickr/naughty architect]

It’s ScamVille, the lawsuit. And we’ve spoken to one other law firm considering a class action claim against these companies.

Will users be vindicated and get their money back? Maybe part of it. A recent class action settlement against WebLoyalty for post transaction marketing scams led to a $10 million settlement, just a tiny fraction of the total revenue pulled in by these offers. The law firms are the ones who get a payday.

Gawker, which broke the story, makes a good point though. That video of Pincus looks bad enough on a blog. Imagine what a jury will think of it. And services like Offerpal have now admitted that what they did was questionable. This will likely settle quickly.

In an email to RockYou’s publishers, they say that they will begin complying with Facebook’s rules on offer scams (and like you, we’re not sure why they haven’t been complying all along, but lax enforcement is likely the cause).

Two interesting nuggets from the email though. First, RockYou says that from now on you’ll only see “clean, safe surveys from top tier brands advertisers.” All of the surveys we’ve seen are mobile subscription scams, so I’m not sure there’s such a thing as a clean, safe survey.

Second, the email says “the Facebook compliance team will be keeping a very close eye on offer walls starting tonight.” We’d heard that Facebook is coming down hard on app developers around scams right now, but Facebook won’t comment about it other than to say that they have always been monitoring application offers and enforcing the rules. From what we’ve seen, that enforcement didn’t bring much in the way of results, but perhaps they’re more serious about the situation now.

The full email:

Subject: RockYou Offers: Facebook Offer Wall Compliance Update

Hi RockYou Publishers,

You may have heard the recent controversy around the types of offers that are being run by most offer wall providers (Offerpal, SuperRewards, etc.). If you haven’t heard, take a look at this post on TechCrunch:
http://www.techcrunch.com/2009/10/31/scamville-the-social-gaming-ecosystem-of-hell/

The Facebook compliance team will be keeping a very close eye on offer walls starting tonight.

Since the RockYou Ad Network is the largest display network on the Facebook platform, we have a long history of working directly with the Facebook compliance team to ensure that we always maintain the highest standards of compliance and ad quality.

We will apply the same level of quality assurance to our RockYou Offers platform.

Some thing to keep in mind that set us apart from the other offer wall providers:
* 100% Facebook compliance starting this evening, and on an ongoing basis
* Clean, safe surveys from top tier brand advertisers
* High quality brand campaigns ranging from video ads to free sample offers
* Cost-per-install campaigns for other Facebook applications

We believe we will continue to outperform the competition based on our diverse advertiser base, and we will do so while always maintaining full compliance with Facebook policy.

Our technology provider for RockYou Offers, PeanutLabs, has also posted an interesting research study they ran over the weekend that clearly outlines how users feel about the scammy offers that have been so prevalent on offer walls:
http://peanutlabs.wordpress.com/2009/11/02/survey-finds-arrington-has-a-point-given-choice-users-overwhelmingly-prefer-direct-payments-and-research-surveys-to-cpa-offers/

We believe the new Facebook policy enforcement is in the best interest of Facebook users and the entire platform ecosystem, and we look forward to working with you as a safe and effective monetization partner.

If you have not yet switched over to RockYou Offers, all you have to do is:
1. Log in to your publisher account at ads.rockyou.com
2. Click on the RockYou Offers tab
3. Follow the 4-step integration process

If you have any questions or issues with integration, please contact Chris or Aaron:

Chris Akhavan
[redacted]

Aaron Choi
[redacted]

Thank you,
RockYou Offers Team

Widgets were all the rage last year. And the trend seems to be growing. Widgetbox, a widget creation and distribution platform, is reporting 500 million impressions worldwide in the past month, according to Quantcast. Widgetbox says that the vast majority of activity exists across hundreds of thousands of publishers who embed the widgets in blogs each month and through partners who integrate Widgetbox’s widget galleries.

That being said, Widgetbox is still behind other widget makers in the space, including competitor RockYou, which had 9.5 billion impressions in the past month, according to Quantcast. Clearspring also seems to have more of a reach than Widgetbox, but we don’t have the comparable Quantcast numbers. Clearspring’s widgets had 520 million unique visitors in April of 2009, according to comScore.

We also received these comScore numbers of uniques for April 2009 for most of the widget producing platforms:

Widgetbox, provides tools for both novice and advanced developers to create a variety of widgets, from simple embeddable RSS feed readers (called “blidgets”) to full social network applications for Facebook, Bebo, MySpace and others. Although Facebook represents only 1% of the widget maker’s traffic, Widgetbox says that they are specifically targeting Facebook as a growing priority, recently launching Facebook Connect integration for users and widgets (which can be published in the Facebook feed). Perhaps this is because of Facebook’s steady growth in the U.S. and its popularity abroad.

Last fall, Widgetbox launched a blog network. To be part of the network, a blog owner needs to embed one of the 29 channel-specific widgets created by Widgetbox. Each widget displays the same leaderboard content as the Widgetbox homepage, which allows users to browse through a network’s top blogs without having to frequently return to the Widgetbox site. The majority of Widgetbox’s impressions come from blogging platforms Blogger and WordPress, with a fair amount of traffic also coming from Bebo and MySpace.

While Widgetbox is seeing success as a startup, it is competing in a crowded space of other more popular widget makers, including Rockyou, Clearspring, and Slide.

if (WIDGETBOX) WIDGETBOX.renderWidget(’21226dae-c512-4e30-865a-d975b1e15df1′);Get the The TechCrunch Network Widget widget and many other great free widgets at Widgetbox!

RockYou VP Business Development Ro Choy apologized in the comments to our previous post, saying “We take privacy of all our partners very seriously and have reviewed and corrected the process that enabled this.”

Despite Choy’s assurance that the problem had been fixed, they did the same thing on November 25 (we gave them a pass that time). And now they’ve done it a third time. In a thinly veiled mass mailing advertisement, RockYou asks scores of developers to buy some of the “600 million impressions that we deliver each day.” And once again, they cc’d everyone, which annoys the recipients to no end. The message is below.

On an unrelated note, if you are looking for advertisers for your Facebook application, I’ve got a very high quality list for sale.

Subject: RockYou Ad campaign

Hi,

Thank you so much for working with us as a pub and/or advertiser. I
wanted to check in and find out if you need help reaching new users to
install your app or engage with your site.

As our long-term partner, we want you to have access to the over 600
million impressions that we deliver each day across our network. We’ve
been running ad campaigns consistently with most of the top 20 app
developers on Facebook and MySpace– driving over 30,000 installs per
day for several clients– so there’s no reason why we can’t help you
grow your application or site through an ad campaign.

If you’d like to find out more about setting up an ad campaign with us
to drive thousands of new users to your site in a matter of hours,
please shoot me a response email or feel free to give me a call. Thanks
a lot!

Regards,

Danielle

—
Danielle [removed]
Ad Sales, RockYou
Email: [removed]@rockyou.com
Office: 650-421-[removed]
Website: rockyouads.com

Pretty run of the mill stuff, except RockYou included every email address in the CC field, providing every recipient (and everyone it’s been forwarded to, including us) with a complete contact list of every major application developer and potential advertiser on the Facebook platform.

Nice.

Hundreds of reply-all’s flowed in. Some of my favorites:

Why, hello everyone in the world who makes Facebook apps.

LOL, did anyone else just get an email from Zynga asking if they wanted a job making games on FB? I love it. Also, which one of you is gonna sell to SpeedDate next? [several yes answers to the Zynga question followed]

Hmm, I didn’t get one. Sucks. Well, we’re hiring too: http://www.seriousbusiness.com. We have really big monitors. And nice chairs. And Ruby. And come on – hands down: WAY cooler logo.

zynga has even bigger monitors, even nicer chairs, and 2 chef cooked meals every day! and siqi is welcome, pending a grueling interview, of course

You fucked us RockYou!

I’m down for a meet up too…Hows Palo Alto everyone? =)

Sounds good to me, I am in Palo Alto until Thursday afternoon if anyone is meeting up. “The Rock You Errant CC Spontaneous Meet Up”

Facebook is continuing its war on Facebook apps that push the limits on acceptable user interaction. Last week it was Slide’s Top Friends App, which it briefly suspended. Later Facebook also suspended another popular app, Social Me.

This time they’re targeting Slide’s rival RockYou and their Super Wall application, which tends to have a lot of spammy user content. But instead of shutting down the application wholesale, they’ve simply turned off the viral components of the app – invitations, notifications, etc.

The consequences have been just as dramatic. A month ago Super Wall had 2.4 million average daily users. Today it’s 600,000 and falling fast.

RockYou CEO Lance Tokuda confirmed that Facebook had shut down features of Super Wall, but says they’re working with Facebook to fix the issues and expect things to return to normal soon.

One thing is clear in all this: Facebook is serious about slapping down app developers who go too far in their efforts to grab new users.