Second Life Forums Archive - For those who want some (emphasis on some) answers...

Allana Dion

Registered User

Join date: 12 Jul 2005

Posts: 1,230

09-10-2006 17:49

On the front page of the website hidden at the bottom there is a link to a security announcement that does answer a few questions regarding the recent hack.

http://secondlife.com/corporate/bulletin.php

From: someone

Second Life Security Bulletin

SAN FRANCISCO, CA. (September 8, 2006) - Linden Lab reported today that it is notifying its community of a database breach, which potentially exposed customer data including the unencrypted names and addresses, and the encrypted passwords and encrypted payment information of all Second Life users. Unencrypted credit card information, which is stored on a separate database, was not compromised....

...Linden Lab advises all users to take appropriate precautions against misuse of personal information. To reduce the risk of fraud, Linden Lab will not contact individuals by phone or any other method asking for private information unless it is in response to an inquiry from the individual user.

So in other words, the hackers got names, addresses, emails, passwords, and security questions. LL is claiming that the hackers did not get credit card numbers because those were on a different database. What they did take was all they need for identity theft. They have what they need to use your information to apply for and use new lines of credit in your name.

Now personally, when they say credit card numbers were not accessable, I don't want to disbelieve them, but I want to be cautious. People have already begun to have problems with paypal accounts, I prefer to play it safe with my credit card and will be cancelling it and having a new one issued monday and I do not intend to give LL my new CC info.

But I will also be keeping a close eye on my credit reports, watching for any new lines of credit appearing in my name and my advice to others would be to do the same.

_____________________

Joshua Nightshade

Registered dragon

Join date: 12 Oct 2004

Posts: 1,337

09-10-2006 17:58

From: Allana Dion

On the front page of the website hidden at the bottom there is a link to a security announcement that does answer a few questions regarding the recent hack.

http://secondlife.com/corporate/bulletin.php

So in other words, the hackers got names, addresses, emails, passwords, and security questions. LL is claiming that the hackers did not get credit card numbers because those were on a different database. What they did take was all they need for identity theft. They have what they need to use your information to apply for and use new lines of credit in your name.

Now personally, when they say credit card numbers were not accessable, I don't want to disbelieve them, but I want to be cautious. People have already begun to have problems with paypal accounts, I prefer to play it safe with my credit card and will be cancelling it and having a new one issued monday and I do not intend to give LL my new CC info.

But I will also be keeping a close eye on my credit reports, watching for any new lines of credit appearing in my name and my advice to others would be to do the same.

We got this security announcement in an email like Friday night. where were you?

_____________________

Visit in-world:
http://tinyurl.com/2zy63d

http://shop.onrez.com/Joshua_Nightshade
http://joshuameadows.com/

Allana Dion

Registered User

Join date: 12 Jul 2005

Posts: 1,230

09-10-2006 18:01

I never got one, so I didn't know what exactly it had said. There were others who never got one either. Sorry if I just repeated something everyone already knew but it was new info to me.

_____________________

Jesse Malthus

OMG HAX!

Join date: 21 Apr 2006

Posts: 649

09-10-2006 18:02

This is why I use PayPal and a psuedonym, so that crap like this doesn't happen.

_____________________

Ruby loves me like Japanese Jesus.
Did Jesus ever go back and clean up those footprints he left? Beach Authority had to spend precious manpower.
Japanese Jesus, where are you?
Pragmatic!

Cocoanut Cookie

Registered User

Join date: 26 Jan 2006

Posts: 1,741

09-10-2006 18:04

It does say "encrypted payment information" which leads me to believe - correct me if I'm wrong - that this could mean your credit card number in encrypted form, which would mean that given enough time, the person with that info could decode it.

coco

_____________________

Buster Venkman

Registered User

Join date: 21 Feb 2006

Posts: 47

09-10-2006 18:10

From: Allana Dion

[...] LL is claiming that the hackers did not get credit card numbers because those were on a different database.

That's not what they said.

They said "encrypted payment information" Speculation has been that that means credit card numbers in MD5 hashed and salted form, based on other linden comments on the forums. There has been great debate over the crackability of this form. Estimates for getting one good credit card number range from 20 minutes to lots of years. I'm guessing closer to the former, based on industry experience.

Allana Dion

Registered User

Join date: 12 Jul 2005

Posts: 1,230

09-10-2006 18:16

From: Cocoanut Cookie

It does say "encrypted payment information" which leads me to believe - correct me if I'm wrong - that this could mean your credit card number in encrypted form, which would mean that given enough time, the person with that info could decode it.

coco

Thats my thinking which is why I'm going to the hassle of cancelling that card. But they also have real names, addresses, security questions like mother's maiden name for some people. I had my identity used once years ago by a family member and this was all the information he needed to run up a 350$ phone bill, buy a 2000$ living room set and start to try to buy a car before I caught up to him. It was a family member whom I could shame and force into fixing it all. Had it been a stranger it would have been a whole lot more complicated.
There's no need to panic of course, these things can happen with any number of services we all use every day. This is the reason to keep an eye on your credit reports and be aware of any unusual things popping up on them. If your credit card is used, you can usually have the charges reversed fairly easily. If your identity is used to create new lines of credit, thats harder to fix generally.

_____________________

For those who want some (emphasis on some) answers...
Allana Dion Registered User Join date: 12 Jul 2005 Posts: 1,230	09-10-2006 17:49 On the front page of the website hidden at the bottom there is a link to a security announcement that does answer a few questions regarding the recent hack. http://secondlife.com/corporate/bulletin.php From: someone Second Life Security Bulletin SAN FRANCISCO, CA. (September 8, 2006) - Linden Lab reported today that it is notifying its community of a database breach, which potentially exposed customer data including the unencrypted names and addresses, and the encrypted passwords and encrypted payment information of all Second Life users. Unencrypted credit card information, which is stored on a separate database, was not compromised.... ...Linden Lab advises all users to take appropriate precautions against misuse of personal information. To reduce the risk of fraud, Linden Lab will not contact individuals by phone or any other method asking for private information unless it is in response to an inquiry from the individual user. So in other words, the hackers got names, addresses, emails, passwords, and security questions. LL is claiming that the hackers did not get credit card numbers because those were on a different database. What they did take was all they need for identity theft. They have what they need to use your information to apply for and use new lines of credit in your name. Now personally, when they say credit card numbers were not accessable, I don't want to disbelieve them, but I want to be cautious. People have already begun to have problems with paypal accounts, I prefer to play it safe with my credit card and will be cancelling it and having a new one issued monday and I do not intend to give LL my new CC info. But I will also be keeping a close eye on my credit reports, watching for any new lines of credit appearing in my name and my advice to others would be to do the same. _____________________
Joshua Nightshade Registered dragon Join date: 12 Oct 2004 Posts: 1,337	09-10-2006 17:58 From: Allana Dion On the front page of the website hidden at the bottom there is a link to a security announcement that does answer a few questions regarding the recent hack. http://secondlife.com/corporate/bulletin.php So in other words, the hackers got names, addresses, emails, passwords, and security questions. LL is claiming that the hackers did not get credit card numbers because those were on a different database. What they did take was all they need for identity theft. They have what they need to use your information to apply for and use new lines of credit in your name. Now personally, when they say credit card numbers were not accessable, I don't want to disbelieve them, but I want to be cautious. People have already begun to have problems with paypal accounts, I prefer to play it safe with my credit card and will be cancelling it and having a new one issued monday and I do not intend to give LL my new CC info. But I will also be keeping a close eye on my credit reports, watching for any new lines of credit appearing in my name and my advice to others would be to do the same. We got this security announcement in an email like Friday night. where were you? _____________________ Visit in-world: http://tinyurl.com/2zy63d http://shop.onrez.com/Joshua_Nightshade http://joshuameadows.com/
Allana Dion Registered User Join date: 12 Jul 2005 Posts: 1,230	09-10-2006 18:01 I never got one, so I didn't know what exactly it had said. There were others who never got one either. Sorry if I just repeated something everyone already knew but it was new info to me. _____________________
Jesse Malthus OMG HAX! Join date: 21 Apr 2006 Posts: 649	09-10-2006 18:02 This is why I use PayPal and a psuedonym, so that crap like this doesn't happen. _____________________ Ruby loves me like Japanese Jesus. Did Jesus ever go back and clean up those footprints he left? Beach Authority had to spend precious manpower. Japanese Jesus, where are you? Pragmatic!
Cocoanut Cookie Registered User Join date: 26 Jan 2006 Posts: 1,741	09-10-2006 18:04 It does say "encrypted payment information" which leads me to believe - correct me if I'm wrong - that this could mean your credit card number in encrypted form, which would mean that given enough time, the person with that info could decode it. coco _____________________
Buster Venkman Registered User Join date: 21 Feb 2006 Posts: 47	09-10-2006 18:10 From: Allana Dion [...] LL is claiming that the hackers did not get credit card numbers because those were on a different database. That's not what they said. They said "encrypted payment information" Speculation has been that that means credit card numbers in MD5 hashed and salted form, based on other linden comments on the forums. There has been great debate over the crackability of this form. Estimates for getting one good credit card number range from 20 minutes to lots of years. I'm guessing closer to the former, based on industry experience.
Allana Dion Registered User Join date: 12 Jul 2005 Posts: 1,230	09-10-2006 18:16 From: Cocoanut Cookie It does say "encrypted payment information" which leads me to believe - correct me if I'm wrong - that this could mean your credit card number in encrypted form, which would mean that given enough time, the person with that info could decode it. coco Thats my thinking which is why I'm going to the hassle of cancelling that card. But they also have real names, addresses, security questions like mother's maiden name for some people. I had my identity used once years ago by a family member and this was all the information he needed to run up a 350$ phone bill, buy a 2000$ living room set and start to try to buy a car before I caught up to him. It was a family member whom I could shame and force into fixing it all. Had it been a stranger it would have been a whole lot more complicated. There's no need to panic of course, these things can happen with any number of services we all use every day. This is the reason to keep an eye on your credit reports and be aware of any unusual things popping up on them. If your credit card is used, you can usually have the charges reversed fairly easily. If your identity is used to create new lines of credit, thats harder to fix generally. _____________________

Welcome to the Second Life Forums Archive

For those who want some (emphasis on some) answers...