Second Life User Data Compromised

Hackers gained access to the user database that governs the virtual world of Second Life this week, according to an urgent security announcment from Linden Lab. Though the exploit was shut down on September 6, shortly after it was discovered, a “detailed investigation over the last two days confirmed that some of the unencrypted customer information stored in the database was compromised, potentially including Second Life account names, real life names and contact information, along with encrypted account passwords.” No unencrypted credit card information was stored in the database that was hacked, but Linden Lab is requiring all users to reset their passwords. Oddly, it seems that no notice was sent to users flagging the problem.

The text of the blog post announcing the problem today:

On September 6 we discovered evidence that an intruder was able to access the Second Life database through the web servers. The exploit was shut down on the afternoon of September 6 when we discovered it.

Detailed investigation over the last two days confirmed that some of the unencrypted customer information stored in the database was compromised, potentially including Second Life account names, real life names and contact information, along with encrypted account passwords.

No credit card information is stored on the database in question, and that information has not been compromised.

As a precaution we have invalidated all Second Life account passwords. In order to log-in to Second Life you will have to create a new password. Please access the log-in page at https://secondlife.com/password, and click on the “Forgot Password” link. An email will be sent to the email address you have registered with us. (Don’t forget to check your spam filter!) Please click through the link in that email, answer the security question, and create a new password.

3pointD will bring you more details as they develop.

  • Trackback are closed
  • Comments (6)
  1. The naysayers are going to have a field day with this. But it is unavoidable, it is going to happen from time to time. LL was up front with what they found, took action, and that is all you can really ask. Well, of course keep vigilant about security, but that is a given.

  2. It makes me wonder if, once SL becomes open sourced down the road, we won’t see an avatarless version where people can just browse anonymously, and let the landowners decide whether they want someone logged in and with avatar, or not.

    • paulie femto
    • September 9th, 2006

    Credit card data *was* stored in the database which was hijacked. Linden Lab says not to worry, that the cc data was encrypted, but “no encryption is completely secure” and “you could contact your credit card company.”

    http://forums.secondlife.com/showthread.php?t=136209

  3. scary stuff.
    I really wonder why it took SL 2 days to notify users.

    as I posted (http://nonsmokingarea.com/blog/?p=326), this shows the importance of a open, decentralized SL. I like to describe SeocndLife as the “Web.3D” – but it only has a chance to get there by opening up…

  4. I’m not arguing with you Michael, but SL is where it is today by being as open as it is? Nobody is as open as LL and SL, and after listening to Corey, Philip, and Mitch at the conference, I see no reason that is going to change anytime soon. In fact, they are continuing to push and get more stuff opened up.

  5. suck ass

Comments are closed.