Well Crafted Security Annoucement

I especially like this part:

"No unencrypted credit card information is stored on the database in question. Unencrypted credit card information has not been compromised."

Basically what's being said here, is that credit card information has been compromised, it's just encrypted.

Many of us know, beating most encyption algorithms is infact very possible, especially when you KNOW that it's only a string of numbers.

That being said, I'm changing my credit card number. I advise you all do the same unless we get an official press release from Linden Labs explaining that no credit card information has been compromised, encrypted, or not.

Oh come on, any decent encryption these days is practically impossible to break.

I noticed this as well.

It is best at this point...No matter WHAT Linden Lab might say...to assume that any and ALL information you have ever submitted to LL has been compromised and act accordingly.

I find it amusing that you actually believe that. When you can subtract alpha characters from an equation, and are able to set a static length (16 digits for example) to a target you're attempting to break, it becomes very possible. We've run brute force system password crackers for well over a decade, and it doesn't take as long as one might think.

The fact that this company would dare to choose to keep any of our payment information and details in any unencrypted format is beyond fucking stupid on their part and now we pay for it since it's been compromised.

Breaking a 128-bit encryption or the like...

Yes, it DOES take that long.

The simple fact is, we don't "know" what type of encryption was utilized. They could be replacing A with Z and B with Y for all we know, and it wouldn't make their statement any less valid.

128 is pretty much the standard, and if they use lesser forms, they are complete and utter idiots. I refuse to even consider it. Suspension of disbelief. <.<

CC numbers have been stolen from other companies, so it is possible for them to crack the encrypted information, even if it does take some time.
I think we need some reassurance that LL will be using some better security systems in the future.

Just as I might have once believed that it would have been stupid to do plaintext database transactions of user's sensitive information. *shrug* Expecting the worst, hoping for the best is ussually the safest pratice. I have my doubts regarding the safety of the credit card data (encrypted) that appears to have been compromised.

Right, because the CC banks love it when you try to submit charges to them and you send them an encrypted list of accounts that they can't read. There *has* to be some point along the line where security opens up a little. Without knowing exactly what happened we can't tell what the risk is, it's up to LL to disclose that information.

I believe in California it's a (SOX? Maybe a separate law...) legal requirement to alert anyone whose personal or bank information might have been compromised. According to Jeska's announcement that wasn't at risk, so I wouldn't be too paranoid over it or they could really catch hell for hiding that.

EDIT: Ah nevermind, the blog tells a different story than the forum's sticky. So yeah, taking precautions with your account info would be a good idea.

S.B. 1386 and the Financial Services Modernization Act

That confused me at first too; the annoucements are very similar except for that one piece (the important piece.)

My CC account was already drained by the rediculously high tier fees.