Second Life Forums Archive - Cancel credit cards? Nature of the compromised information?

Welcome to the Second Life Forums Archive

These forums are CLOSED. Please visit the new forums HERE

Second Life Forums Archive > Previous Forums Archive > Linden Answers

Cancel credit cards? Nature of the compromised information?
Francis Chung This sentence no verb. Join date: 22 Sep 2003 Posts: 918	09-08-2006 18:27 Greetings, Just like everyone else, I'm reading over the security announcement: http://blog.secondlife.com/2006/09/08/urgent-security-announcement/ Something implied by the blog and a post from Jeska - the stolen passwords/payment information were encrypted: /108/3b/135848/3.html#post1275980 But I'm curious about how significant the encryption is. I'm speculating here: I am assuming that passwords are encrypted using a 1-way hashing function. Now that the attacker has your database, they can perform an offline dictionary attack on the password database, so you've decided to force everyone to change their password. However, the same technique cannot be used to encrypt payment information, because the encryption must be reversible. I am guessing that there must be some sort of key to decrypt the payment information. What is to say that decryption key has not been compromised? Should we be going out and cancelling our credit cards? Can you please provide more information on the nature of the data exposure, using technical explanations on how the data is stored so that we can evaluate for ourselves what the severity of the situation is? Also: Was our security question also compromised? I would appreciate an answer with more substance than "stay tuned." /139/1e/135923/1.html _____________________ -- ~If you lived here, you would be home by now~
Robin Linden Linden Lifer Join date: 25 Nov 2002 Posts: 1,224	09-08-2006 21:56 The attacker had access to the database which included your real life name and contact info, and encrypted payment informtion. While it's conceivable that the attacker could have found a way to break the encryption on the payment information, it's unlikely. However, to be absolutely certain you could decide to alert your credit card company. It's possible your security question was compromised, which is why one reason why we're asking everyone to change their password themselves. We do not have access to passwords, so can't give them out even if someone does have the answer to the security question. We haven't given out the technical details of our encryption process for obvious reasons. However, the payment information encryption is not reversible. In addition, we pass the full, unencrypted payment information to a secure, off-network vault which is one-way only, and which none of us has access to. _____________________