Second Life Reality Breach *Update 4*

I suspect I’m not alone in saying this was bound to happen. From the Linden Lab blog (Link):

On September 6 we discovered evidence that an intruder was able to access the Second Life database through the web servers. The exploit was shut down on the afternoon of September 6 when we discovered it.

Detailed investigation over the last two days confirmed that some of the unencrypted customer information stored in the database was compromised, potentially including Second Life account names, real life names and contact information, along with encrypted account passwords and encrypted payment information.

No unencrypted credit card information is stored on the database in question. Unencrypted credit card information has not been compromised.

So much for anonymity. For anyone surfing the series of tubes, it’s largely a myth anyway. I just hope they didn’t get the plans for the Doomsday Device I was mocking up in SL.
{Update 1 (bc this could go on): Read this on the forum this morning:

I think it took them longer than two days. I reported that my SL account had been hacked on Sunday. Of course the only reporting that could be done was a message to Customer Support and Live Help as the individual was selling off my first land and deleting my inventory. I left numerous messages to Customer Support on Tuesday because it was impossible to talk to an actual person. After about 5 attempts I did speak with someone, but all communications with Customer Service left me feeling more and more like the perpetrator rather than the victim. I know of two other accts that were hacked. When all was said and done and my locked acct was returned to me, I had an account that had $40L in it, the hacker had sold my first land, transferred over $5000 Lindens to an account that I could see on my acct transaction log and they had deleted all my inventory and left me a prim “salt for your wounds”. Linden’s response? We’re sorry. Oh, did I mention that since the account was locked Linden didn’t even let me have the $500 weekly stipend for the premium account for that week.

This should get interesting.}

{Update 2: I received a form letter/FAQ from Linden Lab today. Here’s some parts I found interesting:

The database accessed includes customer account information, including Second Life account names, real-life name and contact information in unencrypted form. Account passwords and payment information (consisting of credit card numbers and Paypal transaction IDs) are stored in this same database in encrypted form. However, there is no way to identify which data were accessed at the level of individual users, only the aggregate size of the downloads returned from the intruding database queries. We are conducting further investigation to try to determine the class of data exposed.

We use an MD-5 hash (scramble function) and salt (additional data) to encode passwords and payment information, an industry standard technique that is commonly regarded as difficult to defeat. However, no hash or encryption is unbreakable, given enough time and computing power. If you believe that you may be the victim of credit card fraud, you should contact your credit card company.

…the intrusion path took advantage of a “zero-day exploit” in third-party web software.

Based on this investigation, the intrusion attempts may have started as early as September 3, 2006.

Maybe I need to take another look at ALL my passwords. When Linden Lab previous said “encrypted payment information”, I assumed it was everything except actual CC numbers because if it included that information – which is what users really need/want to know – the commonsense thing would have been to say that up front. But that was stupid of me. Linden Lab isn’t really any different than the government or any large multinational; clear communication isn’t often in their best interests – as I’ve previously discovered.

In the meantime, while people like me are wondering about credit cards, I wonder what the age-players, Goreans, and virtual sex workers are thinking. Imagine what some child avatar prostitute/minister’s wife in Oklahoma is thinking about right now. There’s better ways to make money than trying to scam credit card accounts. If it were me, I’d sell the numbers and spend a little quality time connecting real people to their virtual activities and then send out some discreet emails (or inworld private messages; “I’ll take that dirty money in Lindens, please”).

This whole thing is going to be a real eye-opener for a lot of people.}

{Update 3: Longtime Second Lifer Cristiano Midnight posted this bit of information to the forums this morning –

The vulnerability was not in the blog software, it was in one of the support wikis that had been phased out but was still on the site. The wiki itself might not have been accessing the main DB, but the exploit allowed full execution rights on the web server itself, and there is other web software on the server that does have direct access to account info – I imagine this is how they were able to obtain access.

Based on his track record, I’d venture he’s correct. We’ll see if Linden Lab confirms this in the coming days.}

{Update 4: Just posted to the SL forum:

Whatever information was obtain was used to attempt to access my paypal account on September 6th and September 9th.

This is the IP of the first attempt, the second, on September 9th is identical.

84.47.180.168 Sep. 6, 2006 14:52:33 PDT Russia

That’s the second such posting. This was posted yesterday:

I login to my PayPal account today. On Sept 7, 2006 someone from Russia tried to access my account. I was asked did I give them access to my account? Click no. I had to change my password and my email address.This as never happend until the somone hacked secondlife data base on Sept 6, 2006.

I have few bills I need to pay and Im not able too until this is cleared up. And I have to call my credit card companies .

One thought on “Second Life Reality Breach *Update 4*

  1. Pingback: LICAS Digital Blog

Comments are closed.