Regarding the Second Life Security Problem Last Week…

[Disclaimer – Most of this is distilled from concerns that were raised both within their own forum and from ‘live’ discussion on the resident-run IRC channels.]

The story so far…

Well, there *was* a breach of some sort, but as of now they don’t know what exactly may have been taken. They’re getting close to finding out (as part of the ongoing investigation), but they decided to lockout the userbase last Friday as a precaution for everyone.

The two main items of information that I have concerns about were the passwords and the credit card data. Both were stored encrypted. However, the password you used there should be considered as invalid and not used anymore, anywhere (which is why I’ve been off the radar a while – I’m criusing many a forum and site to figure out which ones I used mine on :headbang: ). In my case, I had *just* changed the SL ones the previous week too, in an effort to make those accounts more secure. Bah. Why the password – for SL anyway – should be considered invalid is due to open source tools available now to login to the world and manipulate it, which could be modified to just send the encrypted password…

Credit card data is a coin toss as to what’s possible with an encrypted one. I’m in the same boat as many others, and my take right now is to keep a close eye on my balance for the next month or two. In the interim I’ll look into getting a new card and moving the many, many things I have on it (I need a new card anyway, the current one is falling apart again from wear ;) ). Linden Lab at this time is not being as forthcoming about the possibility of this data being grabbed, though I and several others are still pressing for a definitive answer.

I’m not as concerned about personal data, such as name, address, etc. My RL name is up for all to see, and from that I located the rest through the various ‘searching’ sites. I do know many in SL who care about this however, and am still following that aspect.

Changing the password should be easy enough – if you got the email notice last Friday, the link is there, plus trying to login to the site on a account not reset will re-direct you. The primary form of re-verification is the security question that should have been set during account creation; For older accounts there are a few others, including listing several people on your ‘Friends’ window. If all else fails you can call them; By now things should have calmed down (somewhat) at their Support Center.

If anyone is actually interested in hearing more updates, I’ll be happy to post them; Please comment…

–TSK

Bad Behavior has blocked 326 access attempts in the last 7 days.