Yesterday morning, we discovered a small group of users exploiting a problem whereby a hacked viewer could through a series of operations be able to see the scripts attached to a specific object for which the user didn't have access rights. Using this exploit, 5 SL users were able to collect about 50 scripts from a total of about 13 different in-world objects. No in-world objects beyond these were affected, and there was no ability to change permissions or make any other changes to the actual in-world objects. The full extent of the exploit was the ability to see the text contents of a script when that viewing should not have been allowed.
The 5 users involved have been permanently expelled from Second Life, and we dropped everything to work on this as soon as we heard about it yesterday morning. We posted a modified viewer to the site at 3:20PST yesterday to eliminate the ability for this exploit, and are continuing to deploy back end and server changes to completely eliminate this class of exploit.
The fundamental architecture of SL wherein scripts and objects reside on servers and are only ever streamed to those users who are verified to have the correct permissions means that SL can have a provably secure digital rights system. Unfortunately, though the architecture is sound, there is always the chance that we accidentally introduce bugs. That is what happened here - a complicated set of actions was found which tricked the server into giving out the contents of a script on an object. We will be very aggressive about fixing bugs like these within hours - I think we did a fairly good job with this one.