File a Fraud Alert (U.S. residents)

As an additional precaution against Identity Theft, U.S. residents may also want to file a 90-day Fraud Alert with credit reporting companies. This will force a phone call verification if anyone attempts to use your personal information to obtain credit or open a new account anywhere.

If you file a Fraud Alert with any one of these companies, they are supposed to forward the information to the other two companies, so you only have to contact one of these three.

www.equifax.com
800-525-6285

www.experian.com
888-397-3742

www.transunion.com
800-680-7289


To extend the Fraud Alert beyond 90-days, see the websites for more details. I think an extension requires a written request.

More basic information about Identity Theft:

www.consumer.gov/idtheft

I would definitely take this advice.

Even if LL's assertion that the credit card numbers were MD5'd is true, since they at a minimum stored the last 5 digits in plaintext (look at your account page), given the last 5 digits and the MD5 hash, the rest could be brute forced in less than 27 hours.

Of course, I don't know of any credit card clearing house that would let you submit a hash instead of the real number, it doesn't make sense to me. All the system's I've seen that retain numbers have retained CC numbers in plaintext.

I've asked LL for clarification here:
/139/cf/136263/1.html

In the mean time, you should probably get your credit card number changed. The liklihood of credit card information being out there is high from what I've been able to put together.

Also, moving and changing your home phone number will make the billing address and phone of your card invalid so identity thieves can't use the card online. Consider relocating, even if it's just down the street.

Also, remember that it's 27 hours for each credit card number so if your last name begins with a-f, file a fraud report now. Further on down the list wait a few weeks. Also, Anyone else applying for a new Social Security number??? I know it wasn't on the database, but I want to make sure I'm covering all my bases.

I have used Equifax in the past. Lots of good valuable information about your identity and credit listed. Its a free month trial, but you do have to give a credit card.... but just cancel before the month is up.

It should probably be pointed out that MD5 was cracked months ago.

MD5 is supposedly a one-way encryption. ie. you can't get the original data back, all you can do is MD5 a new piece of data and see if the resultant MD5 hash matches your first one. It makes it good for passwords, for example.

However, it's now possible to get a listing of a number of possibilities of what the original data was, it's then just a case of figuring out which is the real one.

With credit card numbers this is easy peasy. It's a modulo check (called LUHN) and thus it's easy to quickly verify if a given credit card number is valid.

So put the three together, a finite list of possible credit card numbers, an easy way to find out which one is the real one, and all your personal detail.

Yep, I'd be worried.

UK residents can do the same thing via this service, though it costs £11.75 to do so.

I, for one, will be contacting Linden and insisting that they pay for this.

In my own opinion, I believe Linden Labs have been grossly negligent in this matter.

Not only was a server storing personal details accessible in this way, but the server itself contained credit card information stored using a known insecure hashing algorithm.

So now someone has my name, address, contact details and my card details. I work in the internet payment industry, we have put enormous amounts of effort into security, as have our customers and our competitors in the UK, and the fact that a company could make such a terrible mistake appalls me beyond words.

Im organising a bomb shelter in Dublin.. so get here fast!

lol... i hope that was a joke....


FIRE FIRE FIRE!!!

THE SKY IS FALLING!!!! AAHHHHHHH!!!!!!!


Kill yourself before they can kill you!!!!!

I seriously hope that those ripping the fuck out of those who are seriously worried are never victim of identity theft. When that shit happens, you can kiss goodbye to a min of a year of your life spent trying to fix it. I can assure you, it's hell.

ok to say that MD5 is a good encryption is a joke. Why can i say this? easy MYSQL which uses MD5 hash to encrypt things. And i'm willin to bet that LL uses MYSQL since this site relies on MYSQL (b/c it's PHP based). can be CRACKED if you know where to look. So you say where is a good place to start? ok how about google.com all you have to do is put a HD5 hash in the search bar and chances are good that somethin will come up. lol now don't worry ppl i'm not goin to give all my secrets away. LOL but on a matter of this i do know what i'm talkin about that's why when I got my first SL account i used a PRE-paid CC that way if somethin ever happened i knew i was safe . So don't think MD5 is all that safe if i can sit here on days end and crack websites that are MYSQL based. Then not only can I get your info but alot of others out there that are better then me can! And for the record I had no part in the access of the "vital" info that was obtained. Thank you and have a good day/night! Oh yeah if you don't belive that im being truthful to my claims of knowin how to DE-cryt MD5 hashes well then let me see here ummm i can upload a MD5 hash cracker to my PERSONAL website or ya can ask certain residents about me and a certain website choice is yours! YOU WANT THE MD5 HASH CRACKER THEN SEARCH GOOGLE!

Just did this... Transunion is used more than the other two from what I recall hearing so I would reccommend placing the alert initially with them. I know in my case when I looked them up a couple months ago to see if I could get my car loan that there were a ton of inquiries through Transunion and almost none through Equifax. I didn't check the third one at that time though.

At least LL didn't try any of those alternate "Identity Verification" schemes other people were suggesting when they first added unverifieds, like SSN or Driver's Licenses.

Thx for the numbers Paul

btw, equifax claims that when you file the fraud alert that they will forward the info to experian and tansunion. Whether or not they can be trusted to do this I don't know. I wouldn't be suprised if they are just making it up so that when your credit is compromised they can hit you with a sales pitch for one of their overpriced products/services.

Excellent point! I didn't figure in the CC validation check, which would cut the time significantly from the original 10^11 possibilities given the last 5 digits.

And the first 4 digits can only be one of a few hundred choices (they identify the issuing bank).

So yeah, given the last 5 digits and a MD5 checksum, it should be possible to get the rest of the number in an almost trivial amount of CPU time.

MD5 is not encryption, it's a message digest algorithm.



Uh, no.



PHP can use any DB. But yeah, they have said they use MySQL in the past.



An infinite number of things hash to the same MD5. Sorry, try again.



This is usually because the web programmer doesn't properly scrub the input data, allowing SQL injection attacks.



It's not a question of believing you. You show a fundamental lack of understanding about what MD5 is. I can prove mathematically that you are full of shit.

The only reason it would be trivial to figure out a credit card number that was MD5ed is because the attackers at minimum have the last 5 digits, and the credit card is short enough that there won't be a lot of collisions, and as was pointed out in this thread, Credit card numbers have a validation algorithm which further constrains the possible correct answers.

MD5 wasn't cracked in any meaningful way.

What's possible is that you can generate two crafted files that share some common parts, and have some different parts, that both MD5 to the same hash.

This has limited usefulness. You might, for example, post a legitimate version of "SUPERCOOL.EXE" along with MD5 hashes... get people trusting it, then replace it with a new version that MD5s to the same hash but has a malicious payload. That's the only sort of attack that could be carried out with the known MD5 flaws.


You cannot, for example, easily craft a file with a hash that collidies to an arbitrary hash. If someone else uploaded SUPERCOOL.EXE and you wanted to replace it with something evil that hashed to the same thing, you are out of luck. You must control both files to collide a hash in a meaningful way.

Nothing better than a meaningful colliding of 2 hash's in the Metaverse

As has been mentioned 1,473 times before, the hashes were salted so this is completely a non-issue. And the collision attack wouldn't help at all in this case even if the hashes weren't salted, what you are talking about is a brute-force attack through the CC number space. It would have worked fine... if not for the salt.

To those who aren't worried about their credit records, a few bad transactions on your credit history can cost you your next car, apartment, house or any other type of loan or credit application. It doesn't matter if you were the victim. The reality of the credit history system is such that the victim of identity theft can often be treated like a criminal even after filing all the proper police and fraud reports. Re-establishing your good credit can take years.

Here's a new story:

Newest Job Qualification — A Good Credit History

Regardless of whether or not the thieves can decrypt your credit card number, you should file a Fraud Alert to prevent ID thieves from applying for new credit in your name.

I've been using PayPal, and I just made sure to change my paypal password. Luckily, I have no credit card info to worry about its all blanked out (I checked)

Assuming this is correct. Where is the salt stored, is it in the database, is it in a different database or is it in the program code.

Do we have absolute proof that the attackers have not gained access to the salt? I haven't seen any confirmation either way.


However in reality, any PC capable of running SecondLife should take about a day and a half to brute force the details for ONE person's details. Do this to 5 or 6 of the records and you have enough information to deduce the salt anyway. The rest of the DB is then dead easy.

Salts are normally stored with the hashes. Salts just prevent the attacker from generating one complete brute force attack (and saving the results to disk) and then doing a much faster binary search tree search of the hash space for the rest of the numbers.

but they don't have my SS number.

Or driver's license, despite what people wanted for verification back when they stopped requiring credit cards.