Email From Linden Lab

Hello Second Lifers,

As announced on our website at http://secondlife.com/corporate/bulletin.php and corporate blog at http://blog.secondlife.com/?tag=security, Second Life discovered an attack on our servers on September 6, 2006. The full security bulletin is reprinted below, followed by a FAQ that includes important security advice for our community.

===================
SECURITY BULLETIN


*SAN FRANCISCO, CA. (September 8, 2006)* - Linden Lab reported today that it is notifying its community of a database breach, which potentially exposed customer data including the unencrypted names and addresses, and the encrypted passwords and encrypted payment information of all Second Life users. Unencrypted credit card information, which is stored on a separate database, was not compromised.

The breach was discovered on September 6, 2006 and promptly repaired. The company then launched a detailed investigation that revealed an intruder was able to access the Second Life databases utilizing a "Zero-Day Exploit" through third-party software utilized on Second Life servers. Due to the nature of the attack, the company cannot determine which individual data were exposed.The company's technical investigation is ongoing.

"We're taking a very conservative approach and assuming passwords were compromised and therefore we're requiring users to change their Second Life passwords immediately," said Cory Ondrejka, CTO of Linden Lab. "While we realize this is an inconvenience for residents, we believe it's the safest course of action. We place the highest priority on protecting customer data and will continue to take aggressive measures to protect the privacy and security of the community."

Linden Lab advises all users to take appropriate precautions against misuse of personal information. To reduce the risk of fraud, Linden Lab will not contact individuals by phone or any other method asking for private information unless it is in response to an inquiry from the individual user.

===================
FREQUENTLY ASKED QUESTIONS

Q: I can't log in to Second Life. How can I regain login access?

A: As a security precaution, all Second Life account passwords have been invalidated. You need to establish a new password in order to log in. You can receive instructions for changing your password by visiting http://secondlife.com/password. Please note that we are updating the password request process - if you have recently tried that page and could not change your password, please try again.


Q: Was my account information compromised?

A: We discovered that a database was accessed by the intruder, and we are able to determine the aggregate size of the data that was downloaded through the intrusion. The database accessed includes customer account information, including Second Life account names, real-life name and contact information in unencrypted form. Account passwords and payment information (consisting of credit card numbers and Paypal transaction IDs) are stored in this same database in encrypted form. However, there is no way to identify which data were accessed at the level of individual users, only the aggregate size of the downloads returned from the intruding database queries. We are conducting further investigation to try to determine the class of data exposed.


Q. Is my information still at risk from another attacker?

A: The compromised system was rebuilt and made more secure. We will be announcing additional plans for security improvements in a post to come on our blog, at http://blog.secondlife.com/?tag=security.


Q: Should I be concerned that encrypted password and encrypted payment information may have been exposed? Is the encryption unbreakable?

A: We use an MD-5 hash (scramble function) and salt (additional data) to encode passwords and payment information, an industry standard technique that is commonly regarded as difficult to defeat. However, no hash or encryption is unbreakable, given enough time and computing power. If you believe that you may be the victim of credit card fraud, you should contact your credit card company. If you use your Second Life password on other websites, online services, or any other services, you should change the password on that service as well. You can find additional tips for protection of your identity online at http://www.privacy.ca.gov/sheets/cis1english.htm.


Q: What kind of attack was used to gain access to the Second Life databases? Has the identity of the attacker been established?

A: We have gathered a significant amount of information regarding the attack and the attacker. However, because the investigation is ongoing, we cannot provide very detailed information regarding the type of attack or identity of the attacker. We can disclose that the intrusion path took advantage of a "zero-day exploit" in third-party web software.


Q: What was the timing of the attack and Linden Lab's investigation?

A: Our forensic investigation began on September 6, 2006. Based on this investigation, the intrusion attempts may have started as early as September 3, 2006. However, we have not found evidence of successful database access occurring before September 5, 2006.On September 6, 2006, unusual activity in our database logs revealed the attack to Linden Lab, and we investigated, found and closed the intrusion on the same day. At that point, there was no evidence that databases containing customer identity information had been compromised. For the following two days, the focus of our investigation was to determine the extent of the database access and the nature of the data downloaded from our system. On September 8, 2006, we concluded that there was a substantial likelihood that customer account information could have been accessed. The investigation is ongoing and we will report further results as they become available at http://blog.secondlife.com/?tag=security.

Sincerely,

Linden Lab and the Second Life team

Who cares! Tell them to tell me why it says, NO SECURITY QUESTION ! How the heck can I fix a password when there is no QUESTION!

heh, great minds.

/108/7e/136102/1.html

This is rather strange. "MD5 and Salt" is used for authentication, not secrecy.

For a password it makes absolute sense, but for card information!?

Either LL is being cagey about exactly how the card details were encrypted, or for some reason the database actually did contain an MD5+salt of a credit card number (possibly so that the relation with the actual credit card database could be verified in case of failure!?)

So I am supposed to believe that the logs couldn't tell them which database had been hacked initially or that THEY DON'T KNOW WHICH DATABASE OUR CUSTOMER IDENTITY INFORMATION IS ON?????????

Has anyone seen my happy place?

this is a total crock. When I buy Lindens in-world, LL charges my credit card. Theyt could not do this if my credit card was encrytped with MD5.

MD5 is a ONE WAY HASH FUNCTION; it is useful for things like passwords, it is NOT used to store credit card info that you need to decrypt and reuse.

They are oversimplifying, or worse.