Wake up, LL apologists. This affects you, too.

I don't normally go back and make a new thread just to repost something I've already said, but in this case, on reflection, I feel this needs to be emphasized. I know many people tend to be phenomenally selfish and only concerned with what impacts them, so I want to point something out that might actually matter to them:

Like it or not, this affects all of us. Just how much remains to be seen.

The repost follows:

In actual fact, I didn't lose my account ... well, not my main one. I just happened to be able to guess my answer to the security question for my main account -- by lucky chance, really. I may have lost an alt account, but by comparison to many others, that makes me one of the lucky ones. Everything that I lost, combined, from my alt account is but a mere drop in the bucket compared to what it would have meant for me to lose my main account.

But looking beyond just myself for a moment, I can see that there are others who are less fortunate. Some of them may be friends I will never see again, while others are simply unfortunates I never knew but still feel badly for. Looking beyond even that, I can see this having a profound impact on businesses in SL -- not just on existing ones but also on future ones. I can tell you that I was, not all that long ago, considering going premium in the future, but LL has pretty much talked me out of it lately.

In a very real way, this affects us all. And whether you people choose to defend them until you're blue in the face or not, the fact is that it was LL's poor choices -- and, yes, unrealistic expectations -- that led to this. The trouble with having unrealistic expectations of your customers is that you don't necessarily get to stand there smugly lecturing them about how they should have done better. Often you'll find yourself lecturing to their backsides as they leave, never to return.

Then, you suddenly remember that they're your source of revenue.

While I agree this is a severe muck-up of customer service, I would like to point out something:

We have only had this issue for a few hours. I do not think that LL is going to make a situation where people cannot get back into their accounts ever. While some people may not be able to get in for the weekend, that does not mean that they are kicked out permanently.

Now, as to if they turn on their heels and walk out on LL, THAT'S another story.

Personally, I think that they did what they felt they had to do to protect their customers. I also think that their PR methods lately have been... poorly chosen.

Some people probably will turn on their heels. How many, we can never really know.

Some may have problems (not knowing their security questions, etc.) that make it so difficult to get back in that they just leave instead.

For some, this may be the last straw.

Let's not even get into what this will do with overseas accounts.

I'm royally pissed (US pissed, not UK pissed) that I can't get into my account on SL now.

But I'd rather be locked out as a stopgap measure until Monday or so rather than allow whoever accessed the data base more time to gather real names and account info.

Alex-

Security is serious.

I can't bother having a lot of sympathy for "anonymous" accounts owned by people that can't be bothered to use an enduring email address and a memorable answer to their security questions.

Knowingly or not, those anonymous players chose to live with this added level of risk by trying to be anonymous, when they could have exerted a small bit of additional effort to ensure the safety of their account.

No system will ever be perfect, which is why there are contingencies.

--
But I'm anon! Here's my id! Anon Y. Mous, 555-55-5555, ...

Are you blaming LL because people can't remember the correct response to their own security question?

I've already explained elsewhere, in detail, why security questions are ridiculous. I'm not even attempting to rehash that argument here; the case has already been made. At this point, you either see it, or you don't.

Here, I'm pointing out that even if you want to stick out your tongues and wag your fingers accusingly at those who have been hit by this because you're too damned selfish to see beyond the end of your own nose, the reality is that their loss is potentially yours as well, by extension.

In fact, I thought I made that clear. Abundantly clear.

I wonder why they would want to remain that anon without realising their accounts are at risk if something like this goes wrong and to be quite honest i to would rather be locked out until Monday knowing my account was at least safe

Then Monday perhaps i would take measures so that if this happens ever again then i would at least be able to remeber the info

how about blaming the Lindens for not allowing ANY alternative to remembering a question many people do not answer with a typical resonse.

Im suprised that the answer to the security question is not the real Life answer to it as its certainly not to mine

However i do agree with you that LL should because of this, put some extra staff on this weekend and try and get the backlog cleared and not wait until monday, as thats a bad PR move imho and im sure they will lose some customers, lets hope they at least try and put some of this right as im sure they are reading these threads

So people don't take any personal responsibility for maintaining their own information?

LL's job is to create as secure an environment as possible for data storage.

Your job, as a user, is to create passwords and security answers you can remember and a working email address.

LL failed to make the enviornment safe, and it can be argued that they're not doing all they can to make the situation right.

Some users failed to remember their security answer and failed to give a working email address.

A user getting mad at LL for their own failing makes as much sense as LL getting mad at you for someone else hacking their system.

May I humbly recommend that you never attempt to work in customer service, at any level?

If you do and take that attitude with customers, you won't last a week with a respectable company. Probably not even a day.

I think what Alex is getting at is that this exploit has the potential to be the final straw for people. My husband came home a little while ago and I told him what was going on. He just replied "fukkit". Sure he wasn't as avid a player as I am (he prefers more rpg) but he has spent thousands of $L already. He is one person, but he is not the only person who will leave SL as a result of this latest "oopsie!". This may, in fact, end up effecting the SL economy.

I've done a ten year stint in customer service, including the managerial levels as well as in the trenches, and he's certainly not off base in the least.

LL sets up some specific steps so that A) their customers can change their password at any time and B) the method to change that password is as secure as they can make it, i.e. someone needs both access to the email address on file and the answer to the secret question (or backup password, if you will).

LL should probably be pulling some extra shifts this weekend to man the phones, yes. But to try and put the blame on them for the fact that some people don't remember the backup password, or don't have access to the email accounts they used when they signed up, is to expect more of them than they can possibly deliver. If you value the security of your SL account, then you maintain the methods of access to it in a responsible manner. If LL did anything less that requiring all passwords be reset, people would be screaming bloody murder that they weren't being responsible.

Okay. I can understand why some people are hesitant to give out email addresses... (particularly for 'free' services)

Because no one wants MORE spam. (at least no one I would want to associate with).

I have a few email addresses... one I use strictly for registering stuff, so that it doesn't get mixed up in my personal email, or filtered out by my stricter spam filters on my more 'public' email addresses.

And folks MIGHT start off with a "meh, I'll take a peek and probably leave" attitude which may make them jot down 123456 in their security question, instead of actually giving a memorable answer.

But this is the age of amazon, myspace, itunes, secondlife, etc, etc, etc, if folks are being lazy and using the same password everywhere and not bothering with the security questions/hint contingencies, then it is past time time that they learned.

Anyway. It sucks for those people, but a little tough love is necessary.

Yes, exactly. And what's sad, if predictable, is that even in this thread, even where I've tried to make this point, people are still responding with, "Wut, u mean i shud care b/c sum1 didnt rite down teh security question lolololol"

Okay, not literally. But I swear it comes out sounding like that to me.

It's sad because even when I've tried to explain why this should matter to everyone, still all they can think about are their own little individual circumstances. They can get in, so what's the problem?

At times like this, I reflect that human beings so totally deserve what's coming to them, even if it means I have to get it, too.

Yeah but are security questions and answers really secure? When you get your account hacked or email account hacked because the person knew that information then would you be so willing to give out that information again?

Also security questions and answers are usually for those who forget their passwords, not to to put in a new password. I haven't seen one place that did that so you surely can't expect everyone to think they must put in their mother's maiden name or street where they grew up because alot of people don't feel secure with jotting down that information.

In databases, those answers are typically not encrypted anyway so you can't wag your finger at those who are aware that security answers are not in fact secure and type in a random answer or gibberish because that is actually more secure than typing in the correct answer.

Especially since it should not be used as a second password! If you are the type who constantly forgets your password then fine but for the majority of us that do not, we don't feel the need to type in answers to sites predefined questions that doesn't provide much security at all.

If Second Life did state under the security question that it will be used if this site is hacked for you to create a new password so put in a real answer, I might feel more sympathy for your statements however nobody knew beforehand that this is their security measure for dealing with a hacked database.

Exactly.

I don't understand why this is so difficult for some people to grasp.

I'm sorry that you feel that way, but it is absolutely not what I'm saying. What I am saying is that remembering those security checks or writing them down is a responsibility every user has. I'm sorry what you were doing didn't work for you in this situation, but that's not LL's fault.

have a feeling on Monday its going to be hard to get my password fixed.

not feeling very good about my chances of resolving this at all.

guess im lucky i stopped leaving large sums of Linden money in my account.

I know theres plenty who feel im unresponsible for not remembering my security question.

Considering I have profitable business income guess I get my karma for being so stupid.

If LL had not used your ingame name as your username like people have been saying for well over a year, This would have been harder to do, sicne the hacker wouldnt know whos accounts had any money in them.

I do have to be a little critical of anyone who signed up without giving valid information, but it's different from someone forgetting their password and then raising a fit that LL can't reset it. In that case, sure, they should be stuck with reregistering. This is a forced, unexpected change, it's not the user screwing something up.

Security in SL should involve the security questions OR the e-mail validation OR the correct password. It's the user's responsibility to keep secure whatever means they want to use, but if they chose to make damned sure they knew the password, they still lose now.

I don't know how many reports of password breakins there have been, so I don't know if this is an appallingly stupid thing or just a regular dumb move. Giving users a few days to change their own password, and THEN forcing it would be tolerable. If there's a real risk of a lot more cracked passwords before users themselves taking action then it gets a little fuzzy.

Do you feel the need to answer the security questions now?!? Predefined questions do not mean you have to give a truthful or knowable-by-others answer. The codeword can be anything.

Lorelei ... are you listening?

I, personally, lost very little -- virtually nothing. I'm out maybe a free alt account that I rarely used and the few thousand Lindens I invested in it, money I can make back in no time these days. If this were just about me, I wouldn't even bother. I didn't lose enough to get that excited.

I'm talking about what we all stand to lose here. You can say all you want that it isn't LL's fault, but it's LL's methods, including especially requiring the security question to create a new password that they've reset (something I've never seen any company do) and then on top of that just blowing it off and taking the weekend off, that have led to this.

Furthermore, the poor customer relations that they've established recently, which also add to the problem right now because for some it's going to be the last straw, can be nobody's fault but theirs.

It should be sufficent to say "In the event we need proof that you are the rightful owner of this account, please choose a memorable security question and answer, that other people would likely not know about you." No need to detail server hacks, compromised customer computers, forgotten passwords or other situations.

Of course it's easy not to forget a password if you're using the same password everywhere, year after year. (which is both foolish and dangerous). I, personally, have too many to track in my head.