from the blog: "No unencrypted credit card information is stored on the database in question. Unencrypted credit card information has not been compromised."
I work in the credit card processing industry, here are my concerns:
1) What information was encrypted, and what was left unencrypted? Credit card acceptors routinely protect the card numbers and leave customer names and addresses and email addresses unencrypted, since a readily accessible customer/mailing/email list is darned useful.
Does the hacker now have a mapping of SL names to RL names, addresses, and phone numbers? Is that going to show up fior sale on eBay or some hacker site some day soon? or simply get spammed to all the valid email addresses (and lots of forgotten ones) that were likely stolen?
2) If the hacker has a file of encrypted credit card information, does the fact that he likely has a known credit card (from his own account) weaken the encryption at all? If the encryption is broken, does the hacker get one credit card number? or all of them? If somebody was clever enough to gain access to the data in the first place, it's foolish to assume that they'll give up and go home when they discover the card numbers are scrambled.
Here's what I'd like to hear from SL: tell us what MIGHT have been stolen. If the data was on the server, assume it might have been stolen. Without going into too much detail, go on record about how the credit card information was protected: what information was encrypted? what encryption method was used? (if a proper encryption scheme was used, giving this information is NOT a security risk)
and ummm if the passwords may have been compromised, mightn't the secret questions and answers also now be in the public domain? If somebody might have stolen my name, address, phone number, and the answers to a few personal questions, should I not be worried?
I'm assuming the worst, I'm at least informing my credit card companies, if they choose not to replace the card, then at least I'm on record if somebody starts using my card.