RockYou was a company that developed widgets for MySpace and implemented applications for various social networks and Facebook. Since 2014, it has engaged primarily in the purchases of rights to classic video games; it incorporates in-game ads and re-distributes the games.
30-541: Based in San Francisco, California, RockYou was founded in 2005 by Lance Tokuda and Jia Shen . The company's first product, a slideshow service, was designed to work as an application widget . Later applications included various forms of voice mail, text and photo stylization, and games. As of December 2007, it was the most successful widget maker for the Facebook platform in terms of total installations. In May 2007, RockYou
60-597: A hardware authentication token , responding to a notification e-mail or, less often, by providing a biometric sample such as voice recognition. Users can then either specify a new, unlocked password, or ask that a randomly generated one be provided. Self-service password reset expedites problem resolution for users "after the fact", and thus reduces help desk call volume. It can also be used to ensure that password problems are only resolved after adequate user authentication, eliminating an important weakness of many help desks: social engineering attacks, where an intruder calls
90-529: A Mochi Award for Best Social Game. RockYou's investors include SoftBank , Sequoia Capital , Lightspeed Venture Partners, Partech International, and DCM . In 2011, the company agreed to undergo two independent security audits to settle a proposed class action in California over the 2009 data breach that exposed millions of passwords and email addresses. In 2012, the company settled Federal Trade Commission charges. The settlement barred future deceptive claims by
120-480: A data breach resulting in the exposure of over 32 million user accounts. The company used an unencrypted database to store user account data, including plaintext passwords (as opposed to password hashes ) for its service, as well as passwords to connected accounts at partner sites (including Facebook, Myspace, and webmail services). RockYou would also e-mail the password unencrypted to the user during account recovery . They also did not allow using special characters in
150-433: A free dating service. Since many organizations have standard ways of determining login names from real names, an attacker who knows the names of several employees at such an organization can choose one whose security answers are most readily obtained. This vulnerability is not strictly due to self-service password reset—it often exists in the help desk prior to deployment of automation. Self-service password reset technology
180-457: A neighbour, continuing to call the help desk, etc.). Some companies have created software which presents a restricted web browser at the login screen with the sole ability to access the password reset page without logging into the system; an example of this is Novell 's Client Login Extension technology. Because these technologies effectively give the user access to computer resources, specifically
210-458: A web browser, to reset passwords without authenticating to the computer, security is a high priority and capabilities are very limited so that the user cannot do more than is expected in this mode. There are two additional problems related to the one of locked out users: In conjunction with preference-based authentication, self-service password reset procedures could also rely on the network of existing human relations among users. In this scenario,
240-446: Is a stub . You can help Misplaced Pages by expanding it . Self-service password reset Self-service password reset ( SSPR ) is defined as any process or technology that allows users who have either forgotten their password or triggered an intruder lockout to authenticate with an alternate factor, and repair their own problem, without calling the help desk. It is a common feature in identity management software and often bundled in
270-499: Is another important aspect which modern SSPR needs to address. It is Role Base Access Control (RBAC) feature which is responsible for access level provisioning for the users. When doing critical self-service password resets for privileged accounts you may want to allow account unlocks and to restrict password change functionality. The support teams have a responsibility of changing passwords of these accounts. More information and videos on how such portals work in practice can be found under
300-558: Is commonly used in dictionary attacks . Jia Shen Jia Shen is an American technology entrepreneur best known as the co-founder of RockYou , a company that developed games and widgets for social networks, such as Myspace and Facebook . At RockYou, Jia led the company to acquire over 400 million users and raise over $ 140 million in investment. In 2014, Shen founded the company PowerCore, which creates smart toys and branded merchandise for brands, such as Battle Tails, Mino Monsters, and Business Fish. Most recently Shen leads
330-428: Is enabling users to access the system if they forgot their primary password. Since SSPR systems are typically web-based, users need to launch a web browser to fix the problem, yet cannot log into the workstation until the problem is solved. There are various approaches to addressing this Catch-22, most of which are compromises (e.g., desktop software deployment, domain-wide password reset account, telephone access, visiting
SECTION 10
#1732886264297360-578: Is often used to reduce this type of vulnerability, by introducing stronger caller authentication factors than the human-operated help desk had been using prior to deployment of automation. In September 2008, the Yahoo e-mail account of Governor of Alaska and Vice President of the United States nominee Sarah Palin was accessed without authorization by someone who was able to research answers to two of her security questions, her zip code and date of birth and
390-665: The Asian efforts of Game Closure, the creator of EverWing on the Instant Games platform in Facebook Messenger and a launch partner on the LINE Quick Games platform. During Shen's career, one of the biggest mistakes was the largest password compilation of all time leaked online. Shen is currently managing and operating GC Turbo (gaming), AKA Virtual (mocap and animation production), and SHISA.AI (AI machine-learning). Shen
420-529: The RockYou corporate website went dark. In February 2019, after several Facebook posts promoting "exciting news" and a plan to upgrade servers, RockYou announced the closure of The Godfather: Five Families. Players were given 5 days' notice. On February 13, 2019, RockYou filed for Chapter 7 bankruptcy in U.S. Bankruptcy Court for the Southern District of New York. In December 2009, the company experienced
450-514: The answers to such questions can often be obtained by social engineering, phishing techniques or simple research. While users are frequently reminded never to reveal their password, they are less likely to treat as sensitive the answers to many commonly used security questions, such as pet names, place of birth or favorite movie. Much of this information may be publicly available on some users' personal home pages. Other answers can be elicited by someone pretending to conduct an opinion survey or offering
480-592: The company regarding privacy and data security, required it to implement and maintain a data security program, barred future violations of the Children's Online Privacy Protection Act (COPPA) Rule, and required it to pay a $ 250,000 civil penalty to settle the COPPA charges. On June 13, 2012, RockYou acquired Bingo developer Ryzing and relocated its headquarters to San Francisco, California. In August 2012, RockYou launched The Walking Dead Social Game based on AMC 's hit series of
510-518: The company's founder and CEO , Lance Tokuda, stepped down from his position as CEO and was later replaced by Lisa Marino in April 2011. In 2010, RockYou announced the acquisitions of two game development studios, TirNua and Playdemic, as well as development agreements for two new games from John Romero 's social game studio Loot Drop . Playdemic's first game, Gourmet Ranch , was nominated in February 2011 for
540-428: The exposure of over 32 million user accounts. This resulted from storing user data in an unencrypted database (including user passwords in plain text instead of using a cryptographic hash ) and not patching a ten-year-old SQL vulnerability. RockYou failed to provide a notification of the breach to users and miscommunicated the extent of the breach. In October 2010, the company completed major layoffs. In November 2010,
570-428: The help desk, pretends to be the intended victim user, claims to have forgotten the account password, and asks for a new password. Rather than merely asking users to answer security questions, modern password reset systems may also leverage a sequence of authentication steps: Despite the benefits, a self-service password reset that relies solely on answers to personal questions can introduce new vulnerabilities, since
600-526: The passwords. The hacker used a 10-year-old SQL vulnerability to gain access to the database. The company took days to notify users after the incident, and initially incorrectly reported that the breach only affected older applications when it actually affected all RockYou users. The full list of passwords exposed as a result of the breach is available in Kali Linux , and has been since its launch in 2013. Due to its easy attainability and comprehensive length, it
630-649: The same name . In April 2014, RockYou purchased three Playdom social games from Disney : Gardens of Time , Words of Wonder , and City Girl , and announced it was licensing Army Attack , Crazy Penguin Wars , Millionaire City , and Zombie Lane from Digital Chocolate . In 2015, RockYou purchased The Godfather: Five Families , Kingdoms of Camelot , Edgeworld , Glory of Rome , and Dragons of Atlantis from Kabam . In 2016, RockYou acquired War of Nations from GREE . In 2019, RockYou closed down its popular but money-losing PurePlay Poker Game without notice. Shortly after,
SECTION 20
#1732886264297660-421: The same software package as a password synchronization capability. Typically users who have forgotten their password launch a self-service application from an extension to their workstation login prompt, using their own or another user's web browser, or through a telephone call. Users establish their identity , without using their forgotten or disabled password, by answering a series of personal questions, using
690-410: The security of their approach by user experiments, user emulations, and attacker simulations. Many web based systems not using single sign on allow users to send a password reset link to their registered email address or phone number. However, many large social media platforms reveal a part of a user's email address and some of the phone number digits when using the 'forgotten password' function. Often
720-420: The setup, a user is asked to select items that they either like or dislike from several categories of items which are dynamically selected from a big candidate set and are presented to the user in a random order. During the authentication phase, users are asked to classify their preferences (like or dislike) for the selected items displayed to them in a random order. Jakobsson, Stolterman, Wetzel, and Yang evaluated
750-444: The user to provide a mobile phone number or personal e-mail address during setup. In the event of a password reset, a PIN code will be sent to the user's phone or email and they will need to enter this code during the password reset process. Modern technology also allows authentication via voice biometrics using voice recognition technology. A major problem with self-service password reset inside corporations and similar organizations
780-488: The user who forgot the password asks a colleague for assistance. The "helper" colleague authenticates with the password reset application and vouches for user's identity. In this scenario, the problem changes from one of authenticating the user who forgot the password to one of understanding which users should have the ability to vouch for which other users. Though it is important to provide multifactor authentication when SSPR software endpoint faces untrusted networks, there
810-449: The whole email address can be derived from this hint. Two-factor authentication is a 'strong authentication' method, as it adds another layer of security to the password reset process. In most cases this consists of Preference Based Authentication plus a second form of physical authentication (using something the user possesses, i.e. Smartcards, USB tokens, etc.). One popular method is through SMS and email. Advanced SSPR software requires
840-512: Was able to guess the third, where she met her husband. This incident clearly highlighted that the choice of security questions is very important to prevent social engineering attacks on password systems. Jakobsson, Stolterman, Wetzel, and Yang proposed to use preferences to authenticate users for password reset. The underlying insights are that preferences are stable over a long period of time, and are not publicly recorded. Their approach includes two phases--- setup and authentication . During
870-594: Was invited to deliver the keynote speech "Virtual Characters and Real-Time Content Creation" at Google EMEA's Think Global APAC Summit 2023 held in Tokyo, Japan on May 10, 2023. Shen also appeared on the stage of Web Summit 2023 in Lisbon, Portugal, delivering a speech alongside SEGA on virtual content production. In 2024, Shen will appear at East Meets West 2024 in Honolulu, Hawai`i. This business-related biographical article
900-518: Was one of the companies invited to participate in F8 , the event at which Facebook announced an open platform allowing third parties to develop and operate their own software applications on the Facebook website. Applications made for Facebook include Super Wall, "Hug Me", Likeness, Vampires, Slideshows, Birthdays, MyGifts, and Emote, among others. In December 2009, RockYou experienced a data breach resulting in
#296703