So let's start out with the tell us your name and what do you do. So my name is Troy Hunt. I am an Australian security researcher, I guess. That's term seems to be used a lot. I run the data breach notification service, have I been pined? I write some online training for people and speaker events.
Troy's website, have it beenpone.com, is amazing. Basically, if there's a data breach out there where the data is public, Troy knows about it. He collects all the breach data and puts it into his database and lets people search for their email address to see if their account has been in a breach. Yeah, so I'm in a typical example. Let someone pops up and says, look, I've got the data. It's often via an email or a Twitter DM.
and they said, look, would you like it for? Have I been pwned? They often send me a link to Mega, so they'll put it on Mega and Z somewhere. Sometimes they ask for attribution as well, so some people want either the notoriety or the fame as it may be. I go through, grab that data, validate that it's actually legitimate, then load it in, write it up, and
and publish it. He's been running this site since 2013, adding all the public and semi-public user account data breach details that he could find. And his site has truly changed how we view our account security. Yeah, just where do you begin? I mean, I guess one of the things that amazes me, I'm looking at the record count now having just loaded the dub smash data last night and it's almost 6.9 billion records. And I remember when I started it and there was like 155 million records in there.
And I was like, well, this is a lot of data. I wonder if it's going to be able to get much bigger. That is, there have been 6.9 billion email addresses seen in data breaches in the last 10 years or so. That's a lot of email addresses. So this is 6.9 billion breached accounts. So as an example, my own email address has been seen 15 times. So of that 6.9 billion, 15 of them are me.
So this is not unique email addresses. Unique email addresses is more around the sort of four billion something. And I sort of wonder if you're kind of doing the mental arithmetic here and going, well, hang on a moment, like how many people are there out there that are actually connected to the internet? And you sort of realize that this is just a really significant portion of online accounts. And you can imagine if you post data breach details for people to search on, Troy's going to get some interesting feedback.
I remember one company said, look, we've gone and done a domain search, the same three guys in the warehouse. So just like on basically every porn site, we need to be really, really confident that this information is accurate because we've got to go and have some very uncomfortable chats with some of the guys in the warehouse. Can you imagine signing up for a porn site with your work email address and then having it show up in a breach notification to your boss? But there are so many breaches happening these days that it's hard for Troy to keep up on all of it.
Yeah, honestly, at the moment, it is wearing me out because it's so much work. It really dawned on me in January, where I loaded one of these credential stuffing, less 773 million records, and I loaded it just as I got on a plane to go overseas and have a few days out in the snow with some friends. And I just got thousands of emails and tweets and media, and I just got absolutely bombarded right at a time I was trying to switch off.
And I actually started to become really conscious of the mental toll it's taking if I'm honest. So that
that bit is hard. And then underline that there's just this massively increasing stream of data. I would have multiple breaches a day sent to me of all different scale, of course. And at the moment, I'm sort of working through this whole lot, which was published just in the last couple of weeks, which had things like my heritage and dub smash and my fitness pal and all these. It was about a quarter of a billion records there across different unique incidents.
And I need to verify each one of those and then load the data and send the emails and then deal with the onslaught of feedback from it. At this point, Troy has added hundreds of website dumps into his database. The breaches today are really quite common. Let's roll back the clock and dive into a breach that happened a long time ago, but had a big impact on how we view security today. These are true stories from the dark side of the internet.
I'm Jack Recider. This is Darknet Diaries. The common thread on where a hacker comes from is that many of them had a computer in their home as a teenager.
When a teenager has a computer, they will probably want to play video games on it, and some will be curious about those games and start playing with the mechanics of the game itself by exploring the files of the game, maybe changing one of them to see what it does. They might then look online for cheats or even hacks to make the game do things it's not supposed to.
And this might fascinate a teenager even more. And they begin to think about more things they can do with this, maybe write a program to automate the video game or find a way to make copies of it for friends. The curious mind and the endless tunnel of the internet is a beautiful combination. But having that while being a teenager can be even more powerful.
If you're in high school or college, living at home with no job and have an obsessive fascination with that hunk of metal in the corner of your room, you can spend an insane amount of time on that thing. Literally, staying up all night on the computer, sleeping only a couple hours, and then going to class is not that uncommon. And as soon as school's out, they'll go right back to the computer again.
And it's not just playing video games, but also learning HTML or how to code and finding different things to learn on the internet. A teenager can easily spend 10 hours a day on a computer, and they can learn how to build things and how to break things. Making stuff and breaking stuff becomes the new obsession.
Malcolm Gladwell once famously wrote that you can master something if you spend 10,000 hours doing it. And if you spend 10 hours a day for three years, that's 10,000 hours. Not everyone has this opportunity of owning a computer, having an endless curiosity towards technology, and not having that much responsibility as a teenager. And if you had this, consider yourself privileged. Because having access to a world of information right there in your bedroom
Having the luxury of time to be able to spend countless hours on it is not something everyone has. But like I was saying, this is the common story of how many hackers got started, or security professionals. They're really two sides of the same coin.
This is how I imagine Tom got started with computers. Tom was your average security professional. He likely did the time of spending the 10,000 hours in front of a computer and worked his way up getting a solid gig securing the network for a company. He knew computers well. Oh, and Tom's not his real name, by the way. That's just the name given to him by the New York Times.
Tom could code, troubleshoot PC problems, and he knew his way around databases really well. And somewhere along the way of learning all this, he got curious about hacking. He started looking at websites to learn how you can do things to computers you really shouldn't be allowed to do. He thought this was cool and wanted to learn more. Found a website that had all kinds of tutorials on how to hack.
How to write a bot, how to write exploits in Python and stuff like that. The site had a forum too, and he joined it and used it to ask questions and learn more about hacking. The weird thing about the internet, it's so big, right? And there's so many corners and pockets of people in each crevice of it that wherever you go, it feels like everyone is doing this thing. If you go on Instagram, it feels like everyone's traveling. If you go on Facebook, it feels like everyone's having babies. And if you go on a hacker forum, it feels like everyone is hacking.
And I don't know if Tom was just bored at work or felt mischievous or just thought that because he hangs out on the hack and forums that it appeared that everyone was doing this, but it seemed cool to hack. I mean, these forums would sometimes have a post of someone showing you step-by-step how a specific website is vulnerable to an attack. And if you were quick enough, you could follow the steps and get in and look around. So Tom was seeing this, a lot of this, and started to poke around at websites himself to see if he could find a hack of a website.
The thing is the internet is huge though, and it's hard to know where to look to try to find a website that's vulnerable. At least there wasn't a good spot back in 2009 when this story took place. So Tom would visit websites he knew about and start checking to see if they were exploitable. He was going through a bunch of websites that he could think of and testing if any of them were vulnerable to certain attacks. He would go to these websites and click the login button and then put a single quote in for the username and password and hit login.
The website should come back with a message saying invalid login, user not found, or something like this. But one website he did this on said something else. Instead, it looked like the website had crashed. The whole page went blank, and it just displayed a little error saying, you have an error in your SQL syntax. You might be thinking, wait, how is it that if you put a single quote in for the username and try to log in with just that, it gives you an error saying your SQL syntax isn't right? Well, I'll tell you.
SQL, or often called SQL, is the language used to talk to databases. Websites that have users that can log in have a database where the user information is kept. And when a user tries to log into the site, the website has to ask the database if that user is in the database.
And in this case, Tom asked if there's a user that's just a single quote exists. And this single quote was passed right into the database query. But SQL treats single quote special. Web developers should not trust inputs from the user and should sanitize them and parse it differently. But when Tom saw the website was telling him he had a SQL syntax error, he knew immediately what this meant.
The website was not sanitizing its user inputs properly, and he could issue SQL commands and query the database right through the username field of the login page. This is known as SQL injection, and it's been a known attack since 1998. But still, even today, web developers struggle to properly sanitize user inputs, and it's constantly being one of the biggest threats to websites.
So Tom saw this website was vulnerable to SQL injection and started seeing what kind of fun he could have. Oh, I should say this website he found the SQL injection on was CSFD.CZ, which is like IMDB, but in the Czech Republic. It's an online movie database in Czech.
So he started passing SQL commands to the database through this login page. At first, he discovered the database name, which was called public. Okay. Next, he looked at the tables within the database. There were 42 tables here, things like forum, posts, film names, film ratings, and things like that. Not a big deal. This is all public information that you could theoretically scrape from the website if you wanted to. Anyways, but then he saw a table that caught his eye. Oozy, Vitella, which is a check word, meaning users.
He quickly issued a command to see the contents of this user's table, and sure enough, it had all the user data. He saw user names, hashed passwords, and email addresses of every user on the site. Now keep in mind, he's doing all of these SQL queries from the login page of the website. He's not even a user on the site, and still he could see all of the database content.
This was a big deal for this fairly popular check website to have been accessed by Tom like this, and this put a big smile on Tom's face. He looked to see how many users that were on the site, and there were 187,000.
This included their login name, email, and password hash. A password hash is not a password. It's what the passwords look like after you run it through an algorithm called a hash. This is how you should store passwords, hash. And a large list of password hashes like this could be cracked over time. So we started downloading them all, and he spent a few weeks looking around the database and site.
I need to go to work, do his day job, and then come home and continue poking around this website. Until one day, Tom lost access to the website and saw an email from this check movie database which was sent to all customers. It said they are migrating to a different database with different password storage.
Something about this email upset Tom. He thought they were lying to their customers and hiding the fact that they've been breached. So Tom wanted to tell the world that he hacked this site and that's why they're wanting to change databases. So he decided to make a blog post. But where's a safe place to post about hacks?
WordPress and Blogger sometimes took down illegal content, so that wasn't gonna work. Registering his own domain and hosting it himself, I don't know, just wasn't a good option. So we gave B-words a try. B-words was a simple blogging platform, and it was started by the same people who started the Pirate Bay. And it was meant to be a free speech zone for people who wanted to blog about things that might be taken down by other platforms. So Tom made a B-words account and makes his first blog post, under the name, I-G-I-G-I.
His post said the CSFD.CZ website has been hacked. And he said if you get an email from the company saying there are migrating servers, don't believe it. And that they were trying to recover from Tom breaking in and downloading all their stuff. And Tom also said his access was terminated, but he still had two other ways into the network.
He then goes on to post sample snippets of what he's stolen. This included all the names of the tables, as well as 20 username and password hashes. Then he spread his posts around a few hacking forums to show what he did. A few people commented on this post, some calling him an idiot, other saying he had no ethics, someone else encouraging him to post the entire database. I don't know what the websites themselves did, because I couldn't find any news stories about this breach other than Tom's post.
But this was great fun for Tom. He really enjoyed the feeling of hunting for insecure websites and breaking into them and looking at their databases. So he kept looking for more. And two days after posting that he hacked into the Czech movie database website, he made another Baywords Post.
This time saying he hacked into a Slovakian architecture firm. And he posted a sample data set from there. The next day, another post, saying he hacked into a Czech e-commerce store, and this one was actually storing their passwords in clear text. Then the very next day, he hacked into another Czech website, which posts dark humor content, videos and jokes and stuff like that. In fact, this was a site he said he actually liked, so he had a lot of fun hacking into it.
Tom was on a terror, finding website after website vulnerable to SQL injection and hacking it, downloading the user database and posting it like a trophy to his Baywords blog. But he wanted more. He needed more. This hacking stuff was a wild rush of adrenaline and fun.
so much different than his plain old day job and it was getting him notoriety. I have a feeling Tom was from the Czech Republic or Slovakia because all the websites he hacked were all there. It's just a lot harder to hack a website that's in a foreign language. One of the hacking forums he liked to go to had a section where people would post vulnerabilities they found on websites. One of these posts said that RockYou.com was vulnerable to sequel injections.
Rocky.com was a popular American website at the time. They built widgets and tools for social media. For instance, they built a Facebook app called Superwall back in 2007. And this gave you the ability to post more cool stuff to your Facebook wall, like videos and images and stuff. People love this app and it grew in popularity. Over 100,000 people installed it and they like to decorate their Facebook pages in unique ways.
Now to use Rocku Apps, you had to make an account at Rocku.com, but because it was so integrated into your social media, Rocku also needed access to your Facebook or MySpace pages too, and they were also making social media games too. They were killing it on Facebook and MySpace with tons of great apps to enhance the social media experience.
Rocky was getting invited to exclusive events and getting early access to API features and abilities. More and more people started using the Rocky apps. The company was looking to be a promising startup. They raised $10 million in funding, then another $3 million, and they just kept getting more and more funding. Hiring more employees too, and they were aggressively becoming a successful startup, and their popularity was booming. Rocky was growing fast, but they were making some mistakes along the way.
One mistake that Rocky made was an email they sent to all 450 of their ad partners talking about an upcoming change. The mistake was that they emailed them all in the CC field and not the BCC field. So all 450 of their ad partners knew what their competition was, and many of them were Facebook app makers themselves.
Zynga was on this list and they took advantage of it and started emailing many of the people on the list asking if they'd like to come work at Zynga. There was a huge reply on email chain that resulted in this and it was bad and hilarious. A Vice President of Rocky who came out and apologized for the email and promised to take privacy more seriously and correct the issue. But guess what? Two months later they did the same thing again, accidentally see seeing the entire ad partner list.
And then they did it again not long after that. This began infuriating some ad partners. Mistakes were made, that's for sure. Another security issue that Rocky had was their password policy. Your password had to be a minimum length of five characters long and could not include any special characters. This is really weak even for 2009 standards. And Rocky would be made fun of for that over and over.
So, in November of 2009, when someone posted in his hacker form that Rocku.com was vulnerable to his sequel injection, this caught Tom's interest big time. He immediately started checking for himself, and sure enough, he was able to get right in. And this was a massive database. Forget about the 187,000 users in that Czech movie database website. Rocku had millions of users. Tom was blown away by this.
It's such a big and fast growing company with such a simple vulnerability. In fact, the SQL injection Tom used to get in was very close to the same one posted in a frack magazine in 1998. And so 11 years later, Rocku.com was open to the same exact vulnerability. They didn't have their users best interest in mind. So Tom started going through the Rocku.com database and taking all of the user data he could find.
downloading hundreds of thousands of logins, which quickly became millions, and then tens of millions. It took a while for him to get all this, and he would spend days downloading all this data out of the database. And what he does with that data will change the way we view password security even today. Tom wasn't the only one that noticed the forum posts that Rock U was vulnerable to SQL injection. Someone else had noticed this too. So my name is Amakai Shulman.
And by 2009, I was working with Imperva, a company that I founded in 2002. Amakai has a strong background in security. In fact, he started out in Unit 8200, the secret Israeli military division. Yes, I spent eight years with the military. One of the lessons, the bigger lessons I took from being on the defensive side of the military was that, you know, when you're in the military,
You think you can command people to do things. And you go to application programmers and you tell them, you have to write secure code. That's in order. You have to use prepared statements. So you don't get a skill injection. That's in order. And when you see that this kind of practice cannot be enforced
in the military, you'll get to understand that it is even less effective.
in commercial environments. So sometime after Amakai finished his time in 8200, he went off and co-founded a company called Emperva, which helps companies secure their applications. He was good at defending the network and put his expertise to use. So in December of 2009, a security researcher at Emperva saw the forum post that RockU.com was vulnerable to his sequel injection.
He notified Rocky of this vulnerability, and Rocky quickly got to work fixing the problem. They worked all weekend to resolve this sequel injection on their site, but while doing so, they realized it was too late. Rocky had seen that someone else had been in the site and downloaded a copy of their entire database.
A small news article came out about imperva warning Rocku of this vulnerability. Tom Hacker saw this article and went crazy. By this point, not only did he hack into the site, but he had downloaded their entire user database. Tom downloaded 32 million user accounts from Rocku.com.
he looked at the 32 million accounts he stole and then looked at the article which said the vulnerability was fixed. And he thought, well, it's too late. You've already been hacked. The privacy policy on Rocky's website was not the best. First, it says the company makes reasonable efforts to keep its users' data safe. But the security is not insured and you should use the site at your own risk. It actually says when you give any data to Rocky, you are doing so at your own risk. Then the policy goes on to say that if Rocky learns of a breach, they may contact their customers to tell them.
Well, Tom had breached them and they weren't notifying their customers.
He wanted to expose their weak security and get them to admit that they've been breached. So what does Tom do? He writes another post on his Baywords account. This being the fifth post of the month of him hacking into various websites. On December 15th, 2009, Tom posts to his blog saying that he's taken 32 million accounts from the Rocku.com website and he shows us a little snippet of what he took. Then he even taunts Rocku by saying, don't lie to your customers or I'll post everything.
Someone saw this Baywords post and tweeted, tipping off a few news outlets of the breach. TechCrunch was the first to report on it, saying that 32 million user records were stolen from Rocky.com and urges the readers to change their password immediately. The journalist posted this right away and then examined the snippets from Tom's dump closer and saw something else.
Rocky had been storing the user passwords in clear text. What Tom posted a snippet of wasn't a hash of the user's password, it was the actual passwords. He only posted about 24 user details and he slightly obscured the password, but still, what Tom had was 32 million usernames with their password.
This was a huge lack of security on Rock U. Storing user passwords in clear text is a terrible idea. You might think, oh, well that's 2009, times were different then, but the Linux operating system had been already hashing their passwords for 10 years by then, so it was not a fringe idea to hash passwords.
And the thing is, we all reuse passwords, especially back in 2009. So these passwords might also work on the user's email, social media, and banking logins. Tom even wondered what percent of these people have PayPal accounts, and if the password would work there too. And if he just took $10 from each of those accounts, he'd probably have a lot of money.
But something even more shocking was shown in the small snippet Tom posted. Not only was Rocku storing logins to their own site, but they were also storing the login and usernames for social media sites too. Because if you wanted to use a Rocku Myspace app, you'd have to login to both Myspace and Rocku to use it. So Rocku would capture these Myspace logins and store them on their own site again in clear text, not encrypted, not hashed, not secure at all.
TechCrunch saw this, posted a second article, and they reached out to Rocky, asking when they're gonna tell their customers of this breach. And within 24 hours of TechCrunch writing the article, Rocky did send a notification to its customers saying there had been a breach and that a person took usernames and passwords. They didn't say anything about the social media usernames and passwords, and they didn't mention the passwords were stored in clear text. But they did make sure to say several times that they take security and privacy very seriously.
News does this breach spread fast. Rocky was a popular site, and in fact, by that time in 2009, this was around the fifth biggest breach of all time. 32 million records was a lot, so this was big news. Tom looked through the 32 million username and password records, and he had wondered what he should do with it.
He liked looking at what passwords people are using. A lot were just their first name, or band name they like. This fascinated Tom, and he kept looking at people's password choices. Of course, a lot of them were really bad, since the minimum length had to be five characters, and no special characters were even allowed.
Tom thought if he's finding this interesting, maybe other people would find this interesting too. So he extracted only the passwords out of the dump, all 32 million of them, and put them in a text file. There were no user names, no email addresses, just 32 million passwords. And he posted this to RapidShare, a popular file sharing site, and he told a few people in a hacker form about it. Emokai noticed this and grabbed a copy of the password list because this could be really interesting.
I think, at least for me, the first time that we saw that many passwords in single file. And we said, OK, what can we do with it? When the password list got in the wild, some new sites reached out to Imperva for another comment. But for Amakite, it goes through 32 million passwords was going to take a long time. And I have to say our PR agency was not happy about it because I told them it's going to take time.
And we're not going to have a comment on this in two hours. It will take us at least a week to process the file and understand what we can find and learn from it. So they were not happy to begin with.
This got downloaded by many other hackers really quick. This was hot stuff. Like I said, this was around the fifth largest breach at the time, and since these passwords were in clear text, this was an amazing dataset of words to try when cracking passwords. Previously, there were simple dictionary words lists, but now this is a massive list of actual passwords people are using. Rapid Share Link didn't stay up long. It was taken down pretty quick, and it didn't matter. The password list got out in the wild, and at that point started getting shared and spread among many hackers and security professionals online.
Amakai and impervious started making sense of the password list. They looked at what were the most commonly used passwords on the list. Here, I'll read them to you. Each one of these passwords I'm about to read has at least 10,000 people each who use this password. 1, 2, 3, 4, 5, 6.
290,000 people used that password. One, two, three, four, five. One, three, four, five, six, seven, eight, nine. Password. I love you. Princess. One, two, three, four, five, six, seven. Rock you. 20,000 people used Rock you as their password. One, two, three, four, five, six, seven, eight. ABC, one, two, three. Nicole, Daniel, baby girl, monkey, lovely, Jessica, six, five, four, three, two, one. Michael, Ashley,
QWERTY, 111, 111, 000, 000, Michelle, Tigger, Sunshine, Chocolate, Password, with the number one at the end. Ah, very clever. Only 11,000 people thought of that one. Soccer, Anthony, Friends, Butterfly, Purple, Angel, Jordan. This was an eye opener for us. That was, you know, when it got that, you know, large proportion of entries that corresponded
to a relatively small number of unique passwords that was like an aha moment for us.
this was incredible data. It was such a rare glimpse into what passwords people are actually using in the real world on a massive scale. Nothing like this had ever been seen before. Emikai had found that if you take the top 5,000 most frequently used passwords, you could crack 20% of all passwords. So that's a huge thing because it changed
the way that we were thinking about credential theft attacks or what would attackers do with this kind of file. Or put another way, if I wanted to get into a single user's account, not on Rocky, but on any site, Facebook, Gmail, a bank, if I try each of those top 5,000 passwords, I have a 20% chance of getting into that single account.
Exactly. So either way you look at it, you understand that relying on the fact that attackers we use, high volume, noisy brute force attack against every possible password,
is the way to detect attacks. And I do think that once we understood that it was actually easier for us to really detect more attacks than we thought.
Where in the wild. And again, I think that this publication with the large number ignited the whole discussion about password strength.
As you can see, this was a gold mine for hackers to have. With a password set like this, the likelihood of them hacking other accounts significantly went up. Hackers were able to use this password list to get into many accounts after this. But at the same time, it gave defenders the ability to know how to detect such an attack.
Because now we know attackers really don't need to try millions of potential passwords. They could just try the top 5,000, or maybe the top 1,000, or the top 500, or even the top 5, and still have a percent chance of getting in. When we came up with the report, like, almost two weeks after the incident, it turned out that the New York Times showed a lot of interest, and it got us much, much, much more publicity. So PR people were not that mad at the time.
This article actually hit the front page of New York Times, and it said, if your password is still 1, 2, 3, 4, 5, 6, it might as well be HackMe. RockYou sent more notifications to its customers, outlining certain steps they're taking to ensure security going forward, and they started hashing their passwords after that too. But this breach caused a major loss of customers. Many people were deleting their accounts and avoided using their apps. Their growth and climate success had stalled and was actually detracting.
About a year after the breach, Rocky announced a massive amount of layoffs. Many people were let go as the company restructured its resources and the co-founder himself stepped down from his position as CEO. Rocky was determined to recover though and rise up again. One of their arch rivals was bought out by Google and Rocky had gotten even more funding from venture capitalists. They used it to buy up a few small time video game studios and continued to create apps for social media.
And by another strange turn of events, this hack was mainstream enough that it was actually a question and a game show.
Fox created a game show called Million Dollar Money Drop. A husband and wife couple has asked some trivia questions, and they have a chance to make a million dollars. One couple was doing really well, and it worked the way up. If they could answer this next question correctly, they would weigh in $580,000. Let's take a look at the question. And it was something like, in the incredible report, what was the most common password, something like that? So I know it's 60 seconds.
Okay, pop quiz, let's see if you're listening. Do you remember the most common password I mentioned a few minutes ago? Here are the answers to pick from. I love you, password, and one, two, three, four, five, six. And the contestants, they got the answer wrong. They put all their money on password, but the right answer was one, two, three, four, five, six.
They ended up losing $580,000. And then six months later, the contestants sued the broadcasting company because they claimed it was a tricky question. They were claiming that the way the question was worded seemed like they were asking, what's the most common password? And they didn't know the report only covered the Rocky database, which I have to admit is a really weird question, even for me, who follows security to mention a specific security report by name. Who's going to know what's in that report off the top of their head?
Strangely enough, this game show had another lawsuit against them on a different episode. The contestants had an $800,000 question, but got it wrong. And then when they went home, they looked it up and found they were actually right. They sued the game show, which admitted they made a mistake and invited them back on to compete again. But neither of these contestants got anything pursuing the game show because Fox canceled the entire game show year after it debuted.
A couple class action lawsuits sprang up against Rakyu, one in Indiana and the other in California. The California one went on to court and Rakyu asked the judge to dismiss it entirely. Rakyu was claiming that while the customer's data was stolen, the customers couldn't provide any evidence showing that this had caused them any harm. And this is what a lot of class action lawsuits come down to after a breach, whether there's any identifiable damage done to the customers or not.
But the judge disagreed with Rakyu and didn't dismiss the case. The judge said that while there wasn't any visible harm done to customers, there was an unidentifiable amount of harm done. The victims felt violated by having their private information exposed like that. And so the judge, that was enough. Rakyu settled this class action lawsuit by paying the plaintiff's $2,000 and also covering their lawyer fees.
While it seems like a small amount, it kind of changed the way lawsuits were handled after this. Simply by having your personal, identifying information stolen is now worth some money. So it's just kind of a warning to other online companies. After that lawsuit was over, the Federal Trade Commission had a few things to add.
The FTC investigated the breach and found that Rocku had stored almost 180,000 children's records too. These are people who are under 13 that had accounts on Rocku's website. When handling the children's data, extra security precautions have to take place which fall under the Children's Online Privacy Protection Act.
The FTC determined that RockU had known that children were users on the site and they didn't protect their data, which put them in violation of these rules. Specifically the rules they broke were not obtaining parents permission before registering on the site and not protecting the confidentiality and security of personal identifiable information of children.
Because they violated these rules, the FTC fined Rocky $250,000. Not only that, they demanded Rocky delete all information relating to children under 13. But they also must undergo security audits from a third party every other year for the next 20 years. Violating any of this will cause even more fines.
Rocky continued to build up its reputation. They purchased more game studios and made more apps after that. They hired more key people and had some fairly successful games. But something about their business model didn't work as well as they'd hope. They struggled to keep things going and had some internal failures. I started researching the story earlier this year and I went to Rocky.com's website last month to check it out.
It looked sharp, hip, trendy, and they were talking about their future. About eight months ago, they got another $10 million in funding, and they just acquired a company called mom.me in January. And they were announcing they're going to upgrade their servers in the next coming weeks. It looked like good things were ahead for Rocchio. But a few weeks ago, I went back to the website, and it was totally down.
It's been down for three weeks now. If you try to go to Rocky.com right now, it says Error Connection Reset. And this is odd because the site was just there last month. I turned to look for their Twitter account and it's been deleted. Their Facebook page is also gone. It's like their entire company vanished right in front of my eyes.
I did some research, and I found what's going on. On February 13, 2019, Rock U filed Chapter 7 bankruptcy in New York State. They seem to have quietly closed up shop, and it's really weird because there's just no mention of this in any type of publications or news sites at all. But from the looks of it, they may be gone forever.
I don't know why the company had done so poorly in the last 10 years since this breach, so I'm going to guess there were a series of other problems they faced and they just couldn't overcome, perhaps a few bad investments or poor leadership decisions. It looks like they were running some poker and bingo games that paid out with real money, but a lot of people never got paid and got mad the site shut down while owing them money. It even says in the bankruptcy documents that there is over $500,000 in unpaid customer winnings.
So what happened to Tom, you might ask? I don't know. After he posted this Rock U breach data, he kept blogging for a few more days after that. And they did an interview with a news outlet and then disappeared, seemingly forever. And we don't even know his name. He went by IgI on his blog posts and Tom is just the name the New York Times gave him.
There's never any news of him getting caught or facing charges. Tom said in the interview, they're now hunting for me, but why? I didn't do anything wrong. They should now be in jail because they put all those people at risk. What I did was just for illustration. Tom wants us to think about who the real villain is here. He thinks it wasn't him, and Rocky thinks it wasn't them. Can you be the victim and the villain at the same time? These are good questions.
As Troy Hunt, what he thought of the punishment that Rakyu got from this? It's an interesting question because for me, particularly around things like class actions, there's always this question of impact. So if we're talking about individuals out there that are taking part in a class action, I guess I would like to assume that in order for there to be retribution from a company, there needs to have been some sort of damages.
And the hesitation I have with Rocku is that when we're just talking about a whole heap of passwords, not associated to individuals floating around, it's probably very hard to sort of draw that back and say, ah, I had my identity stolen because of Rocku. Well...
The only way that really makes sense is if you're using that same password everywhere and someone gets what it was. So I'm a little bit hesitant on the class action side of the thing unless there's a really clear line of attribution back to the original incident. I'm more supportive of regulatory penalties where we have someone like the FTC being able to say, look, you guys just simply didn't do enough to protect your customers.
we're going to ping you at that level. So I'm more supportive of that. And if I'm honest, I'd like to see it happen a lot more. And this data breach changed the way we think about password tracking even today. Rocky has sort of been one of those canonical sets of data that people have had for many, many years. And I guess the interesting thing is now, like a decade on, we know that people are still using the same sorts of passwords that they were back then as well. So the, I guess, the long-term value of Rocky was still there.
For years, the data of Tom posted was the very best password list you could use when cracking passwords. In fact, it became so good and passed around so much that it became included in many popular hacking programs and OSes. Even today, Kali Linux, a popular hacking operating system, comes with the Rocku password list on it by default. You can find it right there in the User Share Words List directory.
I've personally used this words list to crack many passwords in my time. And now, I know where it came from. So, bye Tom, and thanks for all the cracked passwords.
You've been listening to Dark Knight Diaries. A big thanks goes to Amakai Shulman. The company he helped start in Perva was just acquired a month ago for $2.1 billion dollars. But Amakai left the company just before this acquisition. Another big thanks goes to Troy Hunt. He recommends to use a unique, complex password for every website you visit and to check haveibimpone.com to see if your email has been seen in a breach.
For show notes and links, check out darknetdires.com, please tell your friends about this show, and it always really makes my day when I hear you do that. The show is made by me, the dark spark, Jack Recider. Team music is made by the hash, and salted Breakmaster Cylinder. Look for a new episode in two weeks.