The site arstechnica.com is reporting that i-Dressup not only experienced a data breach – over 2.2 million affected – but has been slow as molasses in responding to Ars’s emails that they have been hacked or, more importantly, fixing the vulnerability that lead to the security failure.
Perhaps we shouldn’t be surprised, merely exasperated, that we’re still hearing about massive data breaches involving passwords stored in plaintext. But when you realize that the site involved in said data breach essentially targets pre-teen and teenage girls, and operators of such a site can expect not only the usual post-breach criticism and scrutiny, but chances facing an FTC that has shown itself to be enthusiastic in using COPPA to rip companies a new one… well, it really makes you wonder if these people have thought things through.
And then I saw this when I visited their site:
Folks, when you see a typo on the first thing that you lay your eyes on – and it’s big and bold and hard to miss – it tends to be a sign, especially when you consider that it’s not even a grammatical error but something that will be flagged by a spell checker because there is no room for error. Visitors to i-Dressup should not have been surprised, perhaps, that things weren’t working like clockwork in the backend.
SQL Injection Attacks, Plaintext Passwords
As Ars notes, hackers gained entry to the site via an SQL injection attack. While the details of the specific approach are not given, assuming it’s one of the more basic hacks, it would have been easy to guard against. Indeed, certain types of SQL attacks are so well-known that not guarding against them is tantamount to… well, to storing passwords as plaintext. In other words, not even reaching for the bottom rung of good security practices.
And as explored on this blog and elsewhere, you never, ever store passwords as plaintext because if there is a data breach, its ramifications not only affect the hacked site but potentially other sites as well (since people have a habit of reusing usernames and passwords).
In light of the above, Ars’s observation, if true, that i-Dressup “bills itself as a secure site that goes out of its way to protect the privacy of its users, particularly those who are under the age of 13 years old” is grounds for a lawsuit by users. As the FTC has shown time and again, you can’t put words into print and then ignore it, no matter how deeply you bury it in your EULA.
COPPA – Children’s Online Privacy Protection Act
In addition, the FTC will really be looking into this issue, no doubt. The Federal Trade Commission has shown itself to be very interested in companies that suffer data security breaches, especially when it involves the data of minors (defined under federal law as children under or of the age of thirteen). In fact, when it comes to minors, rules are very different. For example, were you aware that under COPPA, an email address is considered personal information? From ftc.gov:
3. What is Personal Information?
The amended Rule defines personal information to include:
- First and last name;
- A home or other physical address including street name and name of a city or town;
- Online contact information;
- A screen or user name that functions as online contact information;
- A telephone number;
- A social security number;
- A persistent identifier that can be used to recognize a user over time and across different websites or online services;
- A photograph, video, or audio file, where such file contains a child’s image or voice;
- Geolocation information sufficient to identify street name and name of a city or town; or
- Information concerning the child or the parents of that child that the operator collects online from the child and combines with an identifier described above.
As you can see, the definition of personal information, when it comes to a minor, is significantly more inclusive than for non-minors. More reason, then, to be extra careful when it comes to data security if you’re allowing children on your site (it should be noted that many online sites do not allow signups by minors due to COPPA, even if children’s parents were to authorize it).
While the observation that there is no such thing as an unhackable site is true, it’s no excuse for being lax with a site’s security. Online threats are constantly evolving, and a site operator’s defenses need to evolve along with it. It behooves us to remember that laws will evolve accordingly as well… and rightfully punish those that are derelict in their duty.
Related Articles and Sites: