My questions are threefold:
1) It has been stated here on "Second Life Answers" that the secret question & answer are on the "potentially compromised" list. It has also been stated here that Linden uses this information when people call in to do things like authorize password resets.
Q. How and when will users be able to change their secret question and answer?
2) The FAQ says that the payment and password information was "encoded" using MD5. MD5 is a hash function, not an encryption function. The meaning of "encoded" is therefore ambiguous.
Q. Is the payment information that was potentially exposed hashed or encrypted?
(This question matters because if it was hashed, the attacker cannot recover it, but if it was encrypted, they might. That knowledge affects the users' response viz a viz the need to contact their credit card companies.)
3) The FAQ describes the password scheme as MD5 + salt and claims that this is "industry standard technique that is difficult to defeat." Hi, I'm from the "industry" and while this technique is well known, it's not standard practice for any for-profit site with more than a handful of users.
To demonstrate this, I bet a guy in your forum L$10,000 that he could not crack an MD5 + salt password using a scheme based on your own but with added complexity, in under 48 hours.
See this post less than two hours later where he found my 13-character password and the specific parameter used to encode it, won my L$10,000 (money well spent to prove a point), and describes how it took him 20 minutes.
Q. Will you be upgrading your password hash function to something that isn't vulnerable to a bored college student with 20 minutes of spare time?
Thank you for your time and consideration.