[Dataloss] Second Life game compromises 600K members

Sat Sep 9 09:17:59 EDT 2006

As of this morning, Second life reports 648,420 members.

http://secondlife.com/corporate/bulletin.php

---------- Forwarded message ----------
From: Linden Lab <Linden_Lab at mail.vresp.com>
Date: Sep 9, 2006 12:07 AM
Subject: Important Second Life Security Bulletin and FAQ

Hello Second Lifers,

As announced on our website at
http://secondlife.com/corporate/bulletin.php and corporate blog at
http://blog.secondlife.com/?tag=security, Second Life discovered an
attack on our servers on September 6, 2006. The full security bulletin
is reprinted below, followed by a FAQ that includes important security
advice for our community.

===================
SECURITY BULLETIN

*SAN FRANCISCO, CA. (September 8, 2006)* - Linden Lab reported today
that it is notifying its community of a database breach, which
potentially exposed customer data including the unencrypted names and
addresses, and the encrypted passwords and encrypted payment
information of all Second Life users. Unencrypted credit card
information, which is stored on a separate database, was not
compromised.

The breach was discovered on September 6, 2006 and promptly repaired.
The company then launched a detailed investigation that revealed an
intruder was able to access the Second Life databases utilizing a
"Zero-Day Exploit" through third-party software utilized on Second
Life servers. Due to the nature of the attack, the company cannot
determine which individual data were exposed. The company's technical
investigation is ongoing.

"We're taking a very conservative approach and assuming passwords were
compromised and therefore we're requiring users to change their Second
Life passwords immediately," said Cory Ondrejka, CTO of Linden Lab.
"While we realize this is an inconvenience for residents, we believe
it's the safest course of action. We place the highest priority on
protecting customer data and will continue to take aggressive measures
to protect the privacy and security of the community."

Linden Lab advises all users to take appropriate precautions against
misuse of personal information. To reduce the risk of fraud, Linden
Lab will not contact individuals by phone or any other method asking
for private information unless it is in response to an inquiry from
the individual user.

===================
FREQUENTLY ASKED QUESTIONS

Q: I can't log in to Second Life. How can I regain login access?

A: As a security precaution, all Second Life account passwords have
been invalidated. You need to establish a new password in order to log
in. You can receive instructions for changing your password by
visiting http://secondlife.com/password. Please note that we are
updating the password request process - if you have recently tried
that page and could not change your password, please try again.

Q: Was my account information compromised?

A: We discovered that a database was accessed by the intruder, and we
are able to determine the aggregate size of the data that was
downloaded through the intrusion. The database accessed includes
customer account information, including Second Life account names,
real-life name and contact information in unencrypted form. Account
passwords and payment information (consisting of credit card numbers
and Paypal transaction IDs) are stored in this same database in
encrypted form. However, there is no way to identify which data were
accessed at the level of individual users, only the aggregate size of
the downloads returned from the intruding database queries. We are
conducting further investigation to try to determine the class of data
exposed.

Q. Is my information still at risk from another attacker?

A: The compromised system was rebuilt and made more secure. We will be
announcing additional plans for security improvements in a post to
come on our blog, at http://blog.secondlife.com/?tag=security.

Q: Should I be concerned that encrypted password and encrypted payment
information may have been exposed? Is the encryption unbreakable?

A: We use an MD-5 hash (scramble function) and salt (additional data)
to encode passwords and payment information, an industry standard
technique that is commonly regarded as difficult to defeat. However,
no hash or encryption is unbreakable, given enough time and computing
power. If you believe that you may be the victim of credit card fraud,
you should contact your credit card company. If you use your Second
Life password on other websites, online services, or any other
services, you should change the password on that service as well. You
can find additional tips for protection of your identity online at
http://www.privacy.ca.gov/sheets/cis1english.htm.

Q: What kind of attack was used to gain access to the Second Life
databases? Has the identity of the attacker been established?

A: We have gathered a significant amount of information regarding the
attack and the attacker. However, because the investigation is
ongoing, we cannot provide very detailed information regarding the
type of attack or identity of the attacker. We can disclose that the
intrusion path took advantage of a "zero-day exploit" in third-party
web software.

Q: What was the timing of the attack and Linden Lab's investigation?

A: Our forensic investigation began on September 6, 2006. Based on
this investigation, the intrusion attempts may have started as early
as September 3, 2006. However, we have not found evidence of
successful database access occurring before September 5, 2006. On
September 6, 2006, unusual activity in our database logs revealed the
attack to Linden Lab, and we investigated, found and closed the
intrusion on the same day. At that point, there was no evidence that
databases containing customer identity information had been
compromised. For the following two days, the focus of our
investigation was to determine the extent of the database access and
the nature of the data downloaded from our system. On September 8,
2006, we concluded that there was a substantial likelihood that
customer account information could have been accessed. The
investigation is ongoing and we will report further results as they
become available at http://blog.secondlife.com/?tag=security.

Sincerely,

Linden Lab and the Second Life team