Slashdot Mirror

← Back to Stories (view on slashdot.org)

Second Life Database Intrusion via Web

Posted by ryuzaki0 on from the cybering-furries-have-to-pause-for-air dept.

Jim writes "A major security exploit has been discovered by Linden Labs, the company that operates Second Life. It turn out that on September 6th, an intruder gained access to the Second Life database. They have since closed the exploit. Today, September 8th, they finally announced this to residents and have cancelled all passwords. They have asked everyone to use the reset password form to make a password. This has resulted in mass confusion amongst residents on the forums who cannot remember their security question. Many more details below. Calls to Linden Labs offices in California are directed to a message telling residents to change their password via secondlife.com/password.

According to the Second Life Blog:

"On September 6 we discovered evidence that an intruder was able to access the Second Life database through the web servers. The exploit was shut down on the afternoon of September 6 when we discovered it.

Detailed investigation over the last two days confirmed that some of the unencrypted customer information stored in the database was compromised, potentially including Second Life account names, real life names and contact information, along with encrypted account passwords.

No credit card information is stored on the database in question, and that information has not been compromised.

As a precaution we have invalidated all Second Life account passwords. In order to log-in to Second Life you will have to create a new password. Please access the log-in page at https://secondlife.com/password, and click on the "Forgot Password" link. An email will be sent to the email address you have registered with us. (Don't forget to check your spam filter!) Please click through the link in that email, answer the security question, and create a new password."

13 of 48 comments (clear)

  1. Ack by GigsVT · · Score: 2, Interesting

    Don't slashdot their servers before I can change my password.

    Yes, the fact that the blog runs on the same MySQL cluster as the main account passwords has more than one side effect. :)

    --
    I've had enough abrasive sigs. Kittens are cute and fuzzy.
  2. Does anyone else see a problem with this? by Da+w00t · · Score: 4, Insightful

    An intruder gained access to the database . So they're resetting passwords. Good.

    But they're using the "security question" ... which is also probally in the same database that was already compromised?

    and how is this fixing the problem? What exactly prevents the intruder from using the security question out of the database they compromised?

    --

    da w00t. mtfnpy?
    1. Re:Does anyone else see a problem with this? by kcbnac · · Score: 5, Informative

      You first have to click the link from the registered email address.

      SO you'd have to have that randomly-generated link to make use of said security question.

    2. Re:Does anyone else see a problem with this? by Southpaw018 · · Score: 4, Informative

      Herein lies an additional problem with security questions. I don't answer them. I work for a nonprofit. The gentleman whose job it is (for lack of a better way to say it) to find rich people to donate money to us sits in the office next to mine. His data mining capabilities are beyond my comprehension, and I'M supposed to be "the computer guy" here. I sat down with him one day and with 15 minutes and $20 he had enough info about me to get into my bank account via the security questions feature.

      The answer to my security questions on ALL websites is now something to the effect of 20-40 random characters.

      --
      ACs are modded -6. I don't read you, I don't mod you, I don't see you. Don't like it? Don't be a coward.
    3. Re:Does anyone else see a problem with this? by TubeSteak · · Score: 2

      Depends on what kind of hashing/salting Linden Labs used for their passwords.

      Even that isn't going to prevent a cracker from running brute force dictionary attacks against the users' e-mail addresses/servers .

      --
      [Fuck Beta]
      o0t!
    4. Re:Does anyone else see a problem with this? by ichigo+2.0 · · Score: 3, Informative

      The summary says the passwords were stored in encrypted form. Usually one would hash the password, making it very difficult and time-consuming to decrypt the password.

    5. Re:Does anyone else see a problem with this? by xtracto · · Score: 2, Interesting

      Herein lies an additional problem with security questions. I

      Ya, security questions are stupid. I remember going into several chicks account on the ICQ times. The recipe was:

      1. Search for interesting (age, city, status of profile) girl with ICQ search option.
      2. Get into email page (preferably hotmail or yahoo mail or any other webmail) and go through the "forgot my password"
      3. Bypass the "whats your age and other general info" filter, looking of courrse in their profile, it was so funny to look how they filled their profile with everything i needed.
      4. Answer their stupid password (I liked how some sites had and still have 3 or 4 compulsory "questions" to be answered, and I loved more how people *really* answered them).
      5. Profit (with the best thing is when this webmail pages would let you in the mail after doing that, or better yet just gave you the password in plain).

      Nowadays is a bit more difficult (of course, if you dont have the general informaiton). But, as they say Google is your friend. And I am sure it might be possible (if you live for example in the same country of the "victim") to use other means to get more informaiton (white pages, etc etc).

      What I usually do, is write something completely unrelated as the answer to the security question. It is in some way another password for me.

      --
      Ubuntu is an African word meaning 'I can't configure Debian'
    6. Re:Does anyone else see a problem with this? by mdielmann · · Score: 2, Insightful

      Well, I'll tell you my system. I make up words. They're made up, so I don't use them in regular conversation. They're pronounceable, so I can remember them well enough. They won't be found in a dictionary, because they aren't real. If I have 4 or 5, I should have enough for most secure systems. I use less secure passwords for stuff where I don't care if you get in - my slashdot account, for instance.

      What ticks me off are banks that only allow 4 digits for PINs. My old bank allowed 6, a 1 in a million chance, and harder to keep track of if you're trying to peek over my shoulder. 4 digits are almost impossible to hide effectively without wearing your tinfoil hand visors.

      --
      Sure I'm paranoid, but am I paranoid enough?
  3. Wow! by KitsuneSoftware · · Score: 2, Funny

    Finally, it's good to see a company taking security seriously!

    That said, and this isn't their fault, I'm cynical about the claim that credit card data wasn't compromised...

  4. ObPA by Rob+T+Firefly · · Score: 4, Funny

    Secret questions can be troubling.

    --
    Slashdot Burying Stories About Slashdot Media Owned
  5. Re:This could be serious by CronoCloud · · Score: 3, Informative

    I'm sorry that's incorrect. That used to be the case, but not anymore. While the "input credit information" page still comes up, you can skip it.

  6. It took two days to cancel passwords by jstrauser · · Score: 3, Interesting

    This means users were vulnerable without notice of a breach during that time.

  7. No CC or Cell phone # Needed anymore by Anonymous Coward · · Score: 2, Informative

    No CC or cell phone needed for a couple of months now.
    Signups now on SL are only tied to a valid email address