Security question paranoia? Read this.

When you are sent the email to have your password reset, the email contains a UNIQUE LINK to the security question. Only you will ever see this link, no one else can get at your security question unless you share your email account password with people. As long as LL is not providing passwords over the phone based solely on the answer to security questions (which is exactly how they are doing it for now), you're safe.

I am sorta curious - what happened to all of the people who used fake email addresses to set up alts ?

( remember those lengthy discussions that even the email address wasnt validated... )

How many accounts just got wiped for the duration......

Quite a few, I should imagine.

Yeah but how many people did not know that in a situation such as this that LL would use that method and how many people did not know that you would be sent an email with a unique link for you to provide that information?

It's not set up the same as most other places where you only use the security answer if you FORGOT your password...not to change it!

Besides, what good is it to point this out when others can't do anything about it?

Chronic is just reposting this here because in the thread where he originally said it, the logical flaws in his reasoning having already been pointed out.

Well, that's certainly one way to eliminate all the underage kids and griefers who typed in completely bogus information on their registration forms, isn't it?

I'll be a lot of perfectly nice people who just were unwilling to provide personal information for 'just a game' will get screwed by this too. But it should clear out a LOT of bogus accounts.

/me is blocked out because the street she is born has about a dozen possible writing, that's if she ever entered the good one, as a good paranoid

Must be a conspiracy by LL to prevent the new unverfieds from logging back in but still keeping the number of accounts high.

I bet there is even a website somewhere that says so.

Fuck the password.

I want to know about this "encrypted billing info" that is potentially in the hands of people or peoples unknown.

supposedly, credit card information is on another database but I don't see how considering when you fill out all of that information, it would have to match up with your avatar name which would most likely go into the same table of a database to match you up to your account.

It is possible that your credit card information is encrypted though.

Their database is huge so if the hacker did not download the database but instead just stayed in the database sniffing then it would take a long time to crack all of the passwords and credit card information. A database as big as Second Life's wouldn't take a long time to download but it would take a long time to reupload with chances of malfunctions in the process.

If LL claims that your name and billing address was at risk then considering when you enter that information along with your credit card information then one could assume that both are at risk.

What it could be if there are two databases is that your name, mailing address that you type in without entering credit card information is what is at risk and not the credit card plus billing address.

If that is the case then you can wipe the sweat from your forehead because your credit card info is safe.

What's "encrypted billing info" and how does it relate to the supposed unencrypted billing info? What exactly was stolen or could have potentially been stolen? What is the strength of the encryption system used to store this information?

These are very pressing questions. I'm not sure it's sunk into a lot of people's heads just how potentially screwed those of us who have CC info tied to LL are.

If the hacker went on the first database the following information would have been compromised. (You can get a detail of what I'm saying by just signing up for an account. The first database is everything prior to entering cc info)

Your avatar name (unencrypted)
Your password (encrypted)
Your rl name (unencrypted) but that depends on if you put in a real name when signing up)
your rl home address (unencrypted) once again, if you put in the real data)
your phone number (unencrypted) If you put in your real number)
Your security answer (not sure if that is encrypted but I doubt that it is)
Your email address (unencrypted)

That's about it.

Now I'm not sure about inventory items and your in world money if that is stored on the same database or not but I doubt it.

If the hacker spent time into the database without downloading the database trying to unencrypt data, chances are the hacker did not gain much because that would show up in the logs and I'm guessing that once it became noticeable to LL employees, they shut the site down.

If the hacker downloaded the database (doubt it) then the hacker has records at their disposal of passwords and all things mentioned above which will do the hacker no good considering everyone is changing their passwords anyway.

Don't take this the wrong way Katta, but I do not see a "Linden" after your first name. Unless you're sitting in MSSQL or MyPHPadmin or whatever LL uses and can see a table filled with those exact columns named "First Database", then what you are submitting is about as valid as me assuming they use ROT13 to encrypt their passwords.

We don't know what was exposed until LL tells us in detail. We don't know what kind of security they used.

We don't even know what kind of access this hacker had, other than that it was "confirmed that some of the unencrypted customer information stored in the database was compromised." This included that encrypted payment info. Which mean just mean it's a hash of some detail that leads to another database. (With the uncrypted billing info stored in it.) Otherwise, I am not sure why they would say "encrypted billing info."

How bad is this? Maybe not so bad.

But it could also mean that somewhere, sitting on someone's HD, is Fenrir Reitveld and Katta Sparrow's encrypted credit card information -- Waiting for some halfway reasonable attempt to be unencrypted.

I've ran databases before. This is how I know.

Unless you want to assume that LL are lying to cover their asses and in fact have all information stored on one database (which is a highly innaccurate scenerio considering how much data Secondlife has to store) then you can think I don't know what I'm talking about.

If LL is telling the truth and cc info is stored in a seperate location that wasn't hacked then the hacker has none of this on their hard drive.

Don't fool yourselfs here - if the parties involved were smart enough to get this extremely sensitive info out of SL servers - then they can certainly find a way to decode encryptions. I have been a victem of ID thieft before and its a hard and painful thing to go through AND FIX!! I advise anyone who has CC info here to watch their balances very carefully for a while or even call your CC company and tell them about this and get CORRECT advise on what you should or should not worry about. Our passwords were encrypted - yet SL decided to wipe them - and I am happy they did this. There is no such thing as fail-safe encryption.

I'm just going off what the blog said.

Originally, it said that no billing information was compromised, and now it says this:

"Detailed investigation over the last two days confirmed that some of the unencrypted customer information stored in the database was compromised, potentially including Second Life account names, real life names and contact information, along with encrypted account passwords and encrypted payment information."

It also says:

"No unencrypted credit card information is stored on the database in question. Unencrypted credit card information has not been compromised."

How I read that is that some payment (billing?) information was compromised, encrypted or not.

And that is what has got me nervous. Because even if it's encrypted, it could just be a matter of time before my CC number is acquired by a third party.

Ahh. I didn't see the updated version. If the hacker did download the database then you have reasons to worry.

hmm so the original billing info states:

No credit card information is stored on the database in question, and that information has not been compromised.


That means two things.

CC info is stored on the same database

or

the hacker had access to both databases

Which one do you believe to be true?

Why did you delete the word "unencrypted", making this statement inaccurate? Or did you get this from another source?

If there is any chance that CC info is not secure, I sure as hell hope that LL would not be stupid enough to keep that from us.

hahahaha!! oh funny! why should we care? if an alt was setup up with a fake address its hardly being used for the good of the grid

OK, thanks. Blog is more up to date. Forum post should be edited.

agreed!