Slashdot Mirror

← Back to Stories (view on slashdot.org)

Second Life Database Intrusion via Web

Posted by ryuzaki0 on from the cybering-furries-have-to-pause-for-air dept.

Jim writes "A major security exploit has been discovered by Linden Labs, the company that operates Second Life. It turn out that on September 6th, an intruder gained access to the Second Life database. They have since closed the exploit. Today, September 8th, they finally announced this to residents and have cancelled all passwords. They have asked everyone to use the reset password form to make a password. This has resulted in mass confusion amongst residents on the forums who cannot remember their security question. Many more details below. Calls to Linden Labs offices in California are directed to a message telling residents to change their password via secondlife.com/password.

According to the Second Life Blog:

"On September 6 we discovered evidence that an intruder was able to access the Second Life database through the web servers. The exploit was shut down on the afternoon of September 6 when we discovered it.

Detailed investigation over the last two days confirmed that some of the unencrypted customer information stored in the database was compromised, potentially including Second Life account names, real life names and contact information, along with encrypted account passwords.

No credit card information is stored on the database in question, and that information has not been compromised.

As a precaution we have invalidated all Second Life account passwords. In order to log-in to Second Life you will have to create a new password. Please access the log-in page at https://secondlife.com/password, and click on the "Forgot Password" link. An email will be sent to the email address you have registered with us. (Don't forget to check your spam filter!) Please click through the link in that email, answer the security question, and create a new password."

48 comments

  1. Ack by GigsVT · · Score: 2, Interesting

    Don't slashdot their servers before I can change my password.

    Yes, the fact that the blog runs on the same MySQL cluster as the main account passwords has more than one side effect. :)

    --
    I've had enough abrasive sigs. Kittens are cute and fuzzy.
  2. Does anyone else see a problem with this? by Da+w00t · · Score: 4, Insightful

    An intruder gained access to the database . So they're resetting passwords. Good.

    But they're using the "security question" ... which is also probally in the same database that was already compromised?

    and how is this fixing the problem? What exactly prevents the intruder from using the security question out of the database they compromised?

    --

    da w00t. mtfnpy?
    1. Re:Does anyone else see a problem with this? by kcbnac · · Score: 5, Informative

      You first have to click the link from the registered email address.

      SO you'd have to have that randomly-generated link to make use of said security question.

    2. Re:Does anyone else see a problem with this? by Megaweapon · · Score: 1

      Hopefully they hashed+salted the answer to the question. Hopefully.

      --
      I'm sure "SlashdotMedia" will improve on all the wonders that Dice Holdings blessed us all with
    3. Re:Does anyone else see a problem with this? by Southpaw018 · · Score: 4, Informative

      Herein lies an additional problem with security questions. I don't answer them. I work for a nonprofit. The gentleman whose job it is (for lack of a better way to say it) to find rich people to donate money to us sits in the office next to mine. His data mining capabilities are beyond my comprehension, and I'M supposed to be "the computer guy" here. I sat down with him one day and with 15 minutes and $20 he had enough info about me to get into my bank account via the security questions feature.

      The answer to my security questions on ALL websites is now something to the effect of 20-40 random characters.

      --
      ACs are modded -6. I don't read you, I don't mod you, I don't see you. Don't like it? Don't be a coward.
    4. Re:Does anyone else see a problem with this? by Rolan · · Score: 1

      Seems e-mail addresses were gotten, too. Hope nobody used the same password for their e-mail address as they did their SecondLife account..... If they did, then that e-mail link is pretty useless.

      --
      - AMW
    5. Re:Does anyone else see a problem with this? by merlin_jim · · Score: 1

      An intruder gained access to the database . So they're resetting passwords. Good.

      But they're using the "security question" ... which is also probally in the same database that was already compromised?

      ironically, I just got done going through the process when I decided to check slashdot lol.

      In order to load the security question you have to click on a link with a UUID in an e-mail to your registered address - the attacker would have to have access to your e-mail as well.

      Also I would note that the attacker got encrypted passwords - no word on how strong the encryption was, but there's at least even money he can't read them anyways.

      --
      I am disrespectful to dirt! Can you see that I am serious?!
    6. Re:Does anyone else see a problem with this? by bateleur · · Score: 1

      Passwords aren't generally stored except in encrypted form (and as I understand it that's what was done here) so that shouldn't make a difference.

    7. Re:Does anyone else see a problem with this? by muftak · · Score: 1

      They might store passwords in plain text for support purposes, and even if they were encrypted a password cracker would probably get quite a few.

    8. Re:Does anyone else see a problem with this? by jthill · · Score: 1
      You first have to click the link from the registered email address.

      Also in the database. Care to guess how many people have a standard password for low-security use (and don't know better than to use it for their email)?

      Not that I'm swinging a bat a Second Life here — shit happens. People screw up. They fixed it.

      --
      As always, all IMO. Insert "I think" everywhere grammatically possible.
    9. Re:Does anyone else see a problem with this? by TubeSteak · · Score: 2

      Depends on what kind of hashing/salting Linden Labs used for their passwords.

      Even that isn't going to prevent a cracker from running brute force dictionary attacks against the users' e-mail addresses/servers .

      --
      [Fuck Beta]
      o0t!
    10. Re:Does anyone else see a problem with this? by ichigo+2.0 · · Score: 3, Informative

      The summary says the passwords were stored in encrypted form. Usually one would hash the password, making it very difficult and time-consuming to decrypt the password.

    11. Re:Does anyone else see a problem with this? by recordMyRides · · Score: 1

      It is easier for a lazy developer to simply plain text the passwords and secret question answers. The fact that the web developers left their website open to a sql-injection attack does not give me much confidence that they used a proper salt & hash.

      --
      Track and chart data from your bike computer.
    12. Re:Does anyone else see a problem with this? by xtracto · · Score: 2, Interesting

      Herein lies an additional problem with security questions. I

      Ya, security questions are stupid. I remember going into several chicks account on the ICQ times. The recipe was:

      1. Search for interesting (age, city, status of profile) girl with ICQ search option.
      2. Get into email page (preferably hotmail or yahoo mail or any other webmail) and go through the "forgot my password"
      3. Bypass the "whats your age and other general info" filter, looking of courrse in their profile, it was so funny to look how they filled their profile with everything i needed.
      4. Answer their stupid password (I liked how some sites had and still have 3 or 4 compulsory "questions" to be answered, and I loved more how people *really* answered them).
      5. Profit (with the best thing is when this webmail pages would let you in the mail after doing that, or better yet just gave you the password in plain).

      Nowadays is a bit more difficult (of course, if you dont have the general informaiton). But, as they say Google is your friend. And I am sure it might be possible (if you live for example in the same country of the "victim") to use other means to get more informaiton (white pages, etc etc).

      What I usually do, is write something completely unrelated as the answer to the security question. It is in some way another password for me.

      --
      Ubuntu is an African word meaning 'I can't configure Debian'
    13. Re:Does anyone else see a problem with this? by faloi · · Score: 1

      You first have to click the link from the registered email address. SO you'd have to have that randomly-generated link to make use of said security question.

      Perhaps someone can educate me... Are the security questions in Second Life the same as most other things... You get a drop-down box with options for your question, then type in your answer?

      Why do I sense a lot of phishing that's going to be going on? The user gets a phishy email, clicks on the link, does their security stuff and enter their new password, which obviously doesn't work. Then they get a real Second Life email thing, do the same thing and their password is changed. The average user would probably just use the same password on both links, and not think anything of it.

      --
      "It is a miracle that curiosity survives formal education." -Albert Einstein
    14. Re:Does anyone else see a problem with this? by mdielmann · · Score: 2, Insightful

      Well, I'll tell you my system. I make up words. They're made up, so I don't use them in regular conversation. They're pronounceable, so I can remember them well enough. They won't be found in a dictionary, because they aren't real. If I have 4 or 5, I should have enough for most secure systems. I use less secure passwords for stuff where I don't care if you get in - my slashdot account, for instance.

      What ticks me off are banks that only allow 4 digits for PINs. My old bank allowed 6, a 1 in a million chance, and harder to keep track of if you're trying to peek over my shoulder. 4 digits are almost impossible to hide effectively without wearing your tinfoil hand visors.

      --
      Sure I'm paranoid, but am I paranoid enough?
    15. Re:Does anyone else see a problem with this? by Fweeky · · Score: 1

      Better not forget the random salt, or your hashed passwords are pretty transparent to anyone with a CD of rainbow tables and a few minutes of CPU.

    16. Re:Does anyone else see a problem with this? by Breakfast+Pants · · Score: 1

      The thing that should really concern them is that the passwords are probably represented in the database as MD5 checksums. The problem with this is that the intruder can essentially run a dictionary attack through an md5 program and get a lot of common words (there are actually multiple gigabyte databases out there on the web for free, full of text of common password/md5 checksum pairs). With the plain text passwords of many users in hand (certainly not all), they can then go about trying these on banking sites, etc. using the usernames from the databases. MD5 checksum storage for passwords really is a weak link in a lot of systems. It works fine for very strong passwords, but it doesn't solve as many problems as people think. (Note: it doesn't matter whether it's MD5 or SHA-n or whatever for the attack I'm talking about, the attack doesn't involve 'cracking' md5, it simply relies on common passwords being enumerable.)

      --

      --

      WHO ATE MY BREAKFAST PANTS?
    17. Re:Does anyone else see a problem with this? by Jesrad · · Score: 1

      From the associated FAQ:

      Q: Should I be concerned that encrypted password and encrypted payment information may have been exposed? Is the encryption unbreakable?

      A: We use an MD-5 hash (scramble function) and salt (additional data) to encode passwords and payment information

      So it seems pretty safe. I'm glad they reacted the way they did and use good security practices for storing info, I wish they reacted faster, I hope they did not detect the intrusion through user complaints but instead through routine checks so that no one lost anything.

      --
      Maybe we deserve this world ?
    18. Re:Does anyone else see a problem with this? by KDR_11k · · Score: 1

      I find those drop-down box qeuestions to be way too insecure. We are repeatedly told not to use any words or data that can be found through social engineering (you know, like your birthday) yet those drop-down boxes contain only questions of such an insecure nature.

      --
      Justice is the sheep getting arrested while an impartial judge declares the vote void.
    19. Re:Does anyone else see a problem with this? by KDR_11k · · Score: 1

      Pfft. Even my sister, a total computer illiterate person, managed to break several security questions. Many people will just answer you if you ask them the question they used for that. Others simply use Q:Wazzup? A:Nothing.

      --
      Justice is the sheep getting arrested while an impartial judge declares the vote void.
    20. Re:Does anyone else see a problem with this? by KDR_11k · · Score: 1

      That's what salt is for, add a short string to the password before hashing and the hash is completely different and all hash lists are useless.

      --
      Justice is the sheep getting arrested while an impartial judge declares the vote void.
    21. Re:Does anyone else see a problem with this? by Hydryad · · Score: 0

      TBH that is not ironic so much as simply coincidental. On a related yet undoubtedly offtopic note, security questions aren't.

      --
      No sig for you, two weeks!
    22. Re:Does anyone else see a problem with this? by Anonymous Coward · · Score: 0

      Wells Fargo, at least at the time I did it, allowed me up to 12 characters for a pin when I requested a pin change. I don't know if the magnetic track on the card really supports that, however, so I'm taking it on faith that my extra digits aren't just truncated.

  3. Kudo's for intelligent security actions... by hcob$ · · Score: 0, Flamebait

    Too bad the clients are mostly as bright as the a match.... in a blizzard.... on Mt. Everest.

    --
    Cliff Claven
    K.E.G. Party Chairman
    Founding Leader of: Koncerned for Egalitarin Governance
    1. Re:Kudo's for intelligent security actions... by Anonymous Coward · · Score: 1

      Kudo's what?

  4. Oh, dear... by __aaclcg7560 · · Score: 1

    There's goes the planet. Time for a third life...

  5. Are you kidding me... by hxftw · · Score: 1

    Its already been slashdotted.

    --
    Just because an idea is popular doesn't make it right.
    1. Re:Are you kidding me... by merlin_jim · · Score: 1

      Its already been slashdotted.

      I highly doubt that it's slashdotted... far more likely it's SLdotted - SL's website is never that fast anyways, and can crash / become unusable from load related problems completely and totally unrelated to slashdot, in my experience...

      --
      I am disrespectful to dirt! Can you see that I am serious?!
  6. Wow! by KitsuneSoftware · · Score: 2, Funny

    Finally, it's good to see a company taking security seriously!

    That said, and this isn't their fault, I'm cynical about the claim that credit card data wasn't compromised...

    1. Re:Wow! by planetjay · · Score: 1

      Are you retarded? They're not taking security seriously. They never have. The fact that this happened proves it!

  7. ObPA by Rob+T+Firefly · · Score: 4, Funny

    Secret questions can be troubling.

    --
    Slashdot Burying Stories About Slashdot Media Owned
    1. Re:ObPA by Das+Modell · · Score: 1

      I hate security questions. They're totally insecure and I never use them anyway. I have a small set of different passwords that I use everywhere, randomly. Maybe this isn't the best possible practise, but I'm just some lonely guy on the Internet, and not working for a company or in charge of national security. At least I always remember my passwords or, failing that, try all of them until I find the right one.

      Correct me if I'm wrong, but isn't it a bit insecure to have questions like "what's your mother's name" and expect people to answer honestly? For a would-be hacker, it wouldn't very challenging to find out the answer, would it (unless you're just some nickname on the Internet)? Therefore, I will just enter some random bullshit answer, which of course I can't remember five minutes later, and thus the security question is useless.

    2. Re:ObPA by ocelotbob · · Score: 1

      Like always, real life is much more hilarious than PA.

      --

      Marxism is the opiate of dumbasses

    3. Re:ObPA by GigsVT · · Score: 1

      At least I always remember my passwords or, failing that, try all of them until I find the right one.

      That always worries me when I have to do that.

      Now that site knows all my passwords. They might even be sitting in some "invalid login" log file, in plaintext.

      --
      I've had enough abrasive sigs. Kittens are cute and fuzzy.
  8. Re:This could be serious by CronoCloud · · Score: 3, Informative

    I'm sorry that's incorrect. That used to be the case, but not anymore. While the "input credit information" page still comes up, you can skip it.

  9. It took two days to cancel passwords by jstrauser · · Score: 3, Interesting

    This means users were vulnerable without notice of a breach during that time.

  10. No CC or Cell phone # Needed anymore by Anonymous Coward · · Score: 2, Informative

    No CC or cell phone needed for a couple of months now.
    Signups now on SL are only tied to a valid email address

  11. Re:This could be serious by Anonymous Coward · · Score: 0

    Actually, that's no longer true. For a while now, it's been possible to make accounts without a card (you still need to put one in to get money, though).

  12. Praise for Linden Lab by mrdudy · · Score: 1

    I'm really impressed by the way Linden Lab has been handling this issue. Though the exploit seems to be not their fault, they are still humbly taking the blame. In addition, as soon as they figured the extent of the hack, they reported it to the users, and immediately changed all the account passwords in their systems. They didn't really need to do this, ie, they could have just issued a warning, but its shows that they care about the user's security more than their public image (no doubt this password change will negatively affect the community for weeks to months).

    The way I see it, every one is going to be hacked. Its a fact. I just praise the way Linden Lab has handled the situation thus so far.

    1. Re:Praise for Linden Lab by Anonymous Coward · · Score: 0

      You're not reading the SL user forums.

      Actual SL users are up in arms that it happened at all, that it took two days to tell anyone, that the fix isn't really a fix (as noted, they database that was stolen likely contains the answers to the security question needed to reset accounts), and that their SL user data has possibly been connected to their real-life information, and their credit info may have also been stolen.

      As you must know, many SL users take great pride in keeping their "real life" info out of the game, which is one of the reasons SL users tend to do things they'd never do in reality. But now, someone has stolen all they need to tie the SL to the RL. This is bad, bad, bad.

      In my main SL account, my "real life" info is fake. I'm not me in the game, and my info on file isn't really me either. SL is the only place that fake info has ever been used or given to anyone. If I start getting spam or phishing with that info, then it will have been from this breach. That account is funded via Paypal so at least there's no credit card to steal.

  13. holy hell by Desolator144 · · Score: 1

    If that happened in the game I play (Silkroad Online) people would be pissed. No wait, TURBO PISSED! I think that alone could change South Korea into "the bad half" cuz that's where they made the game. Last time I tried to change my password, it wouldn't take my answer to my secret question even though I triple checked it when I made it.

    --
    now stop reading and go play Dance Dance Revolution!
  14. Sockpuppet? by Argyle · · Score: 1

    Praise?

    C'mon this has got to be a plant. Even a rabid Second Life fanboy wouldn't be praising this security breach. Of course it's Linden's fault for the breach.

    --
    nuclear iraq bioweapon encryption cocaine korea terrorist
    1. Re:Sockpuppet? by bateleur · · Score: 1

      There's also the fact that this is the only issue he has ever felt worthy of comment since signing up for his account.

      I dunno, you think Linden would have enough money to shell out for a professional sockpuppeting service. It's not like they've been spending all their money on server security!

  15. Hacking Second Life? I'm not worried... by NexFlamma · · Score: 1

    Wake me when a samurai-sword-wielding pizza man starts spreading ancient Babylonian curses.

  16. Just curious why this is under Role Playing Games by Andrew+Kismet · · Score: 1

    Second Life features very little G, and smatterings of RP based on individual players. It's no more of an RPG than the entire internet is...

  17. Serial numbers are go! by SirJorgelOfBorgel · · Score: 1

    Those security questions often annoy me... especially if you have to chose from a predefined set. Everybody who knows me knows my hometown, for example. What kind of security question is that? If possible (e.g., the answer box has enough text), I usually use the 40-digit serial number from the box the first CD-R I ever bought came in. Don't even ask why I know that number by memory :D Back to Linden Labs, while they may have been at fault for not sufficiently securing the servers, the way they have handled it is commendable. Not many publishers of games like that would handle it like this. Hell, I'm sure MindArk (Project Entropia) wouldn't!