Social gaming website RockYou has agreed to settle pending charges against it by the U.S. Federal Trade Commission (FTC) with a $250,000 civil penalty and other concessions. RockYou was the victim of a data breach in 2009 that exposed the personal information of 32 million users to hackers.
The concessions include not engaging in deceptive claims regarding privacy and data security, maintaining a data security program, and not violating the Children's Online Privacy Protection Act (COPPA).
In its complaint against RockYou, the FTC alleged the company collected information from 179,000 children. Federal law bars the collection, use, or disclosure of personal information for children under 13 years old without their parent's consent. Information collected by RockYou from users who wish to use its website includes date of birth.
The FTC's action against RockYou was part of the agency's wider campaign to ensure companies live up to any claims they make that they will protect consumers' data.
The FTC wasn't the only one out to punish RockYou after the massive data breach was discovered in November 2009. An Indiana man, Alan Claridge, also filed a lawsuit against the company. The case was eventually settled out of court for $2000, plus legal fees, which amounted to $290,000.
The RockYou breach wasn't only significant because of its size--it was also an example of bad password practices. A study of passwords used by RockYou members showed a preponderance of trivial ones: 12345, 123456, password, rockyou, and such.
Using a dictionary of the 5000 most commonly used passwords, the study found, a brute force attack could crack 1000 passwords every 17 minutes.