Second Life Security Bulletin

September 8, 2006

Linden Lab reported today that it is notifying its community of a database breach, which potentially exposed customer data including the unencrypted names and addresses, and the encrypted passwords and encrypted payment information of all Second Life users. Unencrypted credit card information, which is stored on a separate database, was not compromised.

The breach was discovered on September 6, 2006 and promptly repaired. The company then launched a detailed investigation that revealed an intruder was able to access the Second Life databases utilizing a "0-Day Exploit" through third- party software utilized on Second Life servers. Due to the nature of the attack, the company cannot determine which individual data were exposed. The company's technical investigation is ongoing.

'We're taking a very conservative approach and assuming passwords were compromised and therefore we're requiring users to change their Second Life passwords immediately," said Cory Ondrejka, CTO of Linden Lab. "While we realize this is an inconvenience for residents, we believe it's the safest course of action. We place the highest priority on protecting customer data and will continue to take aggressive measures to protect the privacy and security of the community. "

Linden Lab advises all users to take appropriate precautions against misuse of personal information. To reduce the risk of fraud, Linden Lab will not contact individuals by phone or any other method asking for private information unless it is in response to an inquiry from the individual user.

main page ATTRITION feedback