LL Website breach/Age Verify website in trouble before

I will try to summarize here so those not interested will not have to read:

1. I came to this website to get help recently and was given personal information about 2 other members in error by LLs's guest help area

2. The company whom LL has chosen to age verify us was caught giving out tons of personal information by a reporter in 2003 (see Wired article discussed below-I am sure others have brought this up).

Recently I hoped to reactivate an alt I had not used since before the password debacle for business reasons and I could not call anyone at LL to get it reset (it was listed under an email address wherby I switched providers and no longer have). My in game parter called the concierge and I was advised the ONLY way to get this handled ws to log in as a guest/basic account member (even though I have paid $50 a month for well over a year)and report the issue.

I followed instructions and when I clicked on my topic as a guest, I was immediately shown a form ANOTHER member completed requesting help instead of being given a blank form to complete as I should have been given. What I was given:

1. The person's email address which disclosed a TON of real life info:
a. What country they were in
b. their rl name (which appeared in her work email address)
c. the name of the university for which she works
d. her exact email to LL about her problems, including the name of where she worked and other personal details. Luckily for her, she was trying to activate a new account so no avatar name was associated. If it were, I was just given enough information where I could track her in a heartbeat and I was in shock and very upset.

I tried again using another associated topic. This time I was given ANOTHER person's information-an active member's avi name, his/her email address, as well the problems he/she was having in game. This one was where the person described that she changed her password and could not log in...just imagine for a minute if she included her old and new passwords thinking she was on a "secure" server and someone with bad intentions accessed that??

I immediately said not a chance in you know what will I EVER complete a form on this site ever again for help. THANKS SOOO MUCH for getting rid of the help line where we cannot safely report security issues.

I immediately took screen shots. I then copied and pasted the details and ONLY sent them directly to the two people whose information was compromised (i only vieweed two-imagine how many more were) via their internet adddresses. I advised them what I was given in error and told them to contact LL immediately because personal information was given to me ON THE GUEST/BASIC MEMEBRSHIP form wheremany request help. Due to me seeing the this system was compromised and how LL gave out this information in error, I was not about to send a report to LL and be compromised as well. My partner would have called the concierge again but no one was available as it was a time the line was not open (after I wasted an hour trying to resolve my issue and discovered the security compromises).

I still have the screen shots LL-you know how to reach me if you need them. I will NOT give them or display them here because personal information was disclosed and this totally made me feel your security is highly lacking. You can pick up a phone and CALL me if you wish to discuss this compromised information but I am not holding my breath.

Also, why did you choose to go with a third party company (Aristotle/Integrity) that Wired exposed in 2003 for readily selling extremely personal information without verifying the buyer?? The reporter listed names Brittney Spears and Condi Rice as buys...come on!! Some of the information they disclosed and got busted for:

"The data includes birth dates, home addresses, phone numbers, race, income levels, ethnic backgrounds and, in some cases, religious affiliations."


"But in reality, Aristotle's site allowed anyone to register and purchase lists under a phony name and address. The site asked only for a name, the state where the buyer resided, an e-mail address and a phone number. Fields for mailing address and company name were optional. "

Three days after an initial discussion, the company still had not determined the source of the problem.

Colopy said the company temporarily disabled the automated feature to prevent further unauthorized sales. Any new buyers visiting the site would have to deal with a live person before completing a transaction, he said.

But two days later, Wired News again was able to purchase lists on the site using a phony name.

Besides a name, address, phone number and birth date, the lists included each voter's registration date, political affiliation, income range, occupation and whether he or she owned a home or had children.

Ethnic codes identified voters as black or white (nine states ask voters to declare their race; three of them require it) and other codes identified Scots-Irish, French, Arab, Jewish or Catholic voters. A phone survey of voters who were identified as Arab on the list, however, indicated the data was incorrect.

Aristotle also listed information about each voter's participation in past elections, as well as campaign and charitable contributions taken from Federal Election Commission records. Charitable contributions were divided into religious, environmental, animal-rights and domestic-abuse categories. "

Ok yes, this information is from four years ago but you REALLY expect in this day and age where identity theft is the fastest growing crime across the world for us to think this company is ok now and we are safe???

Again, when they got busted, here was their response:

"Three days after an initial discussion, the company still had not determined the source of the problem."

With SL in the news nonstop every hacker wanting to make a quick buck is going to go after this list and there are going to be people internally willing to sell it to make some money.

GL LL, I see MANY lawsuits against you if this information is used for purposes other than you have disclosed or if it gets hacked or leaked, which I think may happen.

P.S. I am married to a programmer who manages software for one of the biggest entertainment companies in the world (worth a lot more than SL-) and his words: thousands of hackers try to break their website weekly to get customer information and credit card information and they have spent millions to avoid a hack and have a special internal department set up that deal with this issue- they have successfully avoided a hack and kept information from getting into outsider hands where an employee from a third party could sell out for quick cash. When you hire outside companies and data is transmitted back and forth, you are opening yourself up to a world of bigger problems and potential legal issues when this data is eventually compromised. Why not hire some of the pros in the world to keep this in your hands? Because you were hacked before? Good luck
LL

Edit:
Anyone that voluntarily provides information to a company (third party) that has already collected your data (sounds plausible the more I read about this third party site) and readily allowed others to purchase your demographics previously and share them readily before they were hired to collect even MORE info about you (previous:your race, religion, address, political views, sex, birth date, EVEN information about your children)-what is going to stop them from sharing this too? You are DEF going to be sold out as a person who according to SL rules, is a sexual deviant that need to access hard core sex areas in SL. Welcome to the new age of Big Brother.

Linden is handing you other people's messges? How ?... Is it somehow tied to your being a sim owner? Since you can access the concierge line I assume that you are... do you have some special type of computer or software different than most ? Has it ever happened again or just this once?

I think the idea of giving personal info over the internet is stupid ... but unfortunately people will do it... did you know you need to provide your fingerprints to get into disney world these days? Scary.

Elinah

Woah. That I did not know. While I am all for age verification, I am not for personal information being passed through a company that was already caught with it's hand in the cookie jar, so to speak.

Big thumbs down on that. =\

That was a bit scary reading, but I hope it is not as bad as it looks *crosses fingers*. Looking forward to further comments and opinions on this matter.

Can't wait to see the Blog Post on this one.

Howard... this is one that got caught. Now imagine how many Companies that collect information like this haven't been caught!

My husband is in law enforcement at the federal level and his view on this is "anyone who gives this kind of personal information to ANY 3rd party is just asking to experience idenity theft first hand". His take on this move is that LL dosn't want the liability assiciated with the collection and safe and responcible use of this information, so they will contract it out to save their butts, which means they think more of themselves than they do their customers... anyone who's been on SL for more that an hour knows how true that statement is.

As for me its real simple, they push this stupidity on us and i sell my land (for whatever i can get for it), close my business, cancel my paid account and return to a "free" and UNFLAGGED account status. Then stay on our families leased land on a private island and do what i want there. i save $48US/month, LL forfets $48/month. Their choice, not mine!

Sane people will not participate in LL's ID verification scheme. This thread is further confirmation on the many reasons why it is a terrible idea. As I have said elsewhere, let me verify by purchasing a one-time game-card at my local game store. I'll show my photo ID to the clerk at the counter, knowing that he/she will not sell his memory of my picture to some third party. If this is really about "the children" then LL should have no problem doing it this way.

Or sen me a letter via registered mail that I will sign to receive, fill out and sign stating I am who I say I am, which I will return to Linden via registerd mail. It is a federal offense after all to receive mail not addressed to you.

yikes - this is very bad news.

This Aristotle story is not a brand new, hot off the presses revelation sensation. It was stirred 'round the pot on the first round of verification threads. Integrity, although owned by Aristotle, is NOT the company who was exposed selling information without verifying the buyer.

Chew on it however you like, I just wanted to set out a few facts about it.

This is actually far worse than it looks. It shows that LL has no real interest or ability to protect our personal information. They routinely make major mistakes in their software updates, mistakes that shold never slip past even a rudementaty QA process so why should we believe thwy put even a fraction of that effort in to making sure their web site is secure?

Can't wait to see the Blog Post on this one.

There will be none. LL does not read or care about anything posted in these forums.

Well if I will have to downgrade to a free basic account, so be it. I will for now wait and see how this plays out, though. Thanks for the warning and information.

Firstly, this was originally posted to another forum, but maybe the mod is too busy closing useful threads to deal with crossposts.

Secondly, has anybody else managed to reproduce this issue using the scant information available? I tried, but found the support system to be secure. It wouldn't let me read tickets I didn't submit (no permissions). The OP could be reporting this correctly of course, but let's not beat about the bush here: if private data is being exposed, we should be dealing with that instead of reigniting the whole Integrity debate again. Dealing with it equals: Filing an bug in the 'exploit' category so that Brent Linden gets instantly notified and emailing a few Lindens. Brent obviously, but Jeska, Robin & Torley would be good additional choices. The last would at least grace you with a response.

Thirdly, it's a big leap to suggest (i) a vulnerability on a website (ii) happened because the company responsible wasn't working to keep it secure. Shit happens. And it very often happens to the largest and/or most successful computer companies out there.

The OP sounds like a troll to me. They found this huge 'security breach' that noone else can find, and decided not to report it to LL... that makes little sense.

Just a reminder, this forum is for asking questions to other Residents. Linden Lab has followed up with the original poster's claim and will of course investigate it, as we do take privacy issues very seriously.

I am closing this thread to prevent further supposition and will be sure to report back if there are any updates.

UPDATE:
We have throughly investigated this issue and are happy to report that there is no current security issue as described.