Should I Cancel My Credit Card? HELP IMPORTANT

It's like the story of the guy who blew a million dollar deal for his company. His boss calls him into his office, and the guy says "I know. I'm fired". The boss says, "Are you kidding? We just spent a million dollars educating you."

RL story? O_o

Well Hiro... that sounds pretty darn suspicious to me. The mere fact that this mail was sent to the registered email connected to your SL account is a big red flag. Do you use the same email address for other things?

Before making this post in general, I approached to Lindens in world. Here were the two answers from two diff Lindens:

Linden 1: "email [email]support@secondlife.com[/email]"

Linden 2: "blog.secondlife.com man"

And duh, of course I cancelled the CC, but that CC isn't the only one in existence lol. Since LL couldn't give me any info, I wanted to not only get opinions here, but also warn others should my suspicions be founded.

So, no, it's not silly.

Yes I do. Of course, it's entirely possible that some other company's db elsewhere has been hacked, but this is too much of a coincidence for me given that I haven't used this card in over a year.

I'm not sure what you are saying is not silly.

Being concerned about the security problem isn't silly. Asking a question in this forum isn't silly.

Asking a question in the general forum, where anyone can answer, and expecting no one but Linden employees to respond is silly.

Well I guess that it's fortunate that I was addressing everyone but the Lindens then, eh?

what I was thinking about happening when I first ranted about the "payment info used" BS when it first came out....about LL making things easier for a hacker who got6 ahold of the info and wanted to know who exactly to concentrate their unencrypting efforts at....why make it easier for them? Now, things are just wait and see? I have had a one dollar debit made to my account as of yesterday/last night....and that sort of thing usually only happens right before LL takes out their monthly fee right before the first of the month....why the dollar debit now? Time to change things and make others alert, too.

Reading carefully what they said, The “Unencrypted Creditcard information” was on seperate computers. What was on the database was encrypted version of the Credit Card that was hashed and salted. It is but a matter of time before someone can figure out the key for all the numbers.

But if that is really what is happening, who knows. I have searched for Zero Day Exploits for both WorldPress and vBulletin and can find nothing. Last expolit was august 20th.



I want to know what is being done to catch the hacker and secure the data? Are the FBI involved? This is a Federal crime and Visa says they have no information on any issues with LindenLabs. I want my personal data secured, not left out there to be passed around the Internet as the latest useless password file to show how LindenLabs security was broken. My Name address, City, Zip Code creditcard, birth date and mothers maiden name. What more would an identy thief want?

What is happening??????? Where are the boys in Blue?

Well...

If they used good encryption there is no realistic risk at all.

If they didn't... well, I can just report "stolen" transactions and get the money back. Big deal.

i still wouldnt take any chances, contact your credit card co's and banks and get the info you need to protect yourself.

id rather err on the side of being overly precausios, rather than being sorry later.

Robin Linden has just commented about CC on this thread/post

/108/3b/135848/8.html#post1278549

I find this very, VERY worrisome.

coco

hmm on cc issue, my account was due yesterday an it wasnt taken out till this morning on sat (odd sl is closed on sat or i thought ) i have plenty of money in my checking account. my sl account says its in red a minus, i went to bank an they said no one had tried to take any money out with that amount lol an my account says on page its active an next due date is on there also sorta odd i think

My cat just sneezed! She never does that. zomg hackers!!

Just logged in here to see if there were others who notice the GIANT GAPING HOLE in Linden Labs' "logic". Looks like there are, but LL still isn't coming clean.

Let's see... encrypted passwords were compromised, so we'd better have you reset your password.

On the other hand, "only" encrypted credit card info was compromised, so your more-important-by-several-degrees-of-magnitude financial data is safe.

Huh?

LL, if you're reading this, please explain. Is there some reason that encrypted financial data is inherently safer than encrypted passwords?

I noticed that USD balance on my SL account is at minus side too (the amount of SL's monthly fee, since it's been at zero all the time until now), first time ever (that I've noticed).
I'm curious about this, but I guess it's related to this event that's going on currently.

Fenris

As I said in Linden Answers, either the credit card numbers were not encrypted, or they are easily guessed if what LL asserts is correct.

LL says our payment information was protected by MD5 hashing.

MD5 is not encryption. There's no keys. There's no way to "decrypt" it really. You can guess what it might be and test to see if it matches though.

The last 5 digits of our credit card at a minimum is stored in plaintext. If it were MD5ed they couldn't display it on our information page.

Using the last 5 digits and the MD5 hash, you could guess the rest in about 27 hours, as a conservative estimate of trying 1 million hashes per second.

I cancelled my card and they are mailing me a new one. I suggest you do the same.

No, they said our passwords were protected by MD5 *PLUS SALT*. This makes them fairly un-rainbow-tableable. They also said that the billing stuff was in a non-compromised database.
This is why I use PayPal...

Someone already pointed out the fact that the billing information was salted, so no you couldn't brute force using the hash as a test. But at least you get a shiny new card now, mine is started to get a stress line down the middle from my wallet.