Second Life's user database breached
by Vladimir Cole 
{ Sep 9th 2006 at 1:25AM }
Hackers broke into the Second Life user databases on Thursday, according to this post on the official blog of Second Life parent company Linden Labs. Intruders gained access to Second Life account names, real life names, contact information, encrypted account passwords and encrypted payment information.
So what?
Well, there's something scarier about this theft. Name, address and credit card information is stolen daily from various inept ecommerce sites. We're kind of accustomed to that level of theft. But how many of us are really comfortable with data stolen from the place where we spend our leisure time?
To put a finer point on it, what happens when archived MMOG chat logs are breached? It's going to be ugly, like AOL ugly: "I swear honey, that Furry meant nothing to me. It was totally just research for my new book. I'll sell the teledildonics equipment on eBay first thing tomorrow."
Gamers haven't been paying much attention to privacy of in-game communications. Given how intimate some of those communications have become, maybe it's time for more scrutiny of privacy protection measures taken by MMOG providers.
[Via Techcrunch]
[Image via furry.wikia.com]
Reader Comments (Page 1 of 1)
Matt @ Sep 9th 2006 1:46AM
So wait. You're proposing that someone stealing in game conversations that could, at worst, embarrass you is somehow worse than someone stealing finacial information that could potentially drain your lifesavings. Good logic.
Thomas @ Sep 9th 2006 1:45AM
whats up with Joystiq's sudden furry fixation?
vc @ Sep 9th 2006 1:47AM
Matt: that's exactly what I'm saying. Credit cards have protections in place that limit a person's liability in cases of identity fraud. I've been through it, I know.
Public disclosure of search and behavior data would be far, far more detrimental.
Steve @ Sep 9th 2006 1:51AM
At least half of Second Lifes population is furry, so this is more of a "Haha" story rather than something that shocked me. Too bad for those that aren't furry on SL though.
Chris @ Sep 9th 2006 1:55AM
vc
That is, of course, if the behavioral data were somehow linked to a person of reputable stature rather than said person's character. It would indeed be something interesting to see if Mayor X or Senator Y had a private/intimate cyber session posted across the internet.
Interesting more, though, would be if said politician's credit card information packaged neatly with security code, billing address, and a password quite likely to be used on multiple website ro other accounts fell into curious hands.
Waccoon @ Sep 9th 2006 2:25AM
Yet another reason why online gaming and micropayments are the way of the future!
Probot @ Sep 9th 2006 2:27AM
There are two things I disagree with.
First, the idea that we've become accustomed to identity theft. I haven't. I think lack of security of personal information is probably the biggest problem with the internet. It's not a technological problem though; People just need to be educated better about using the internet safely.
Second, the idea that exposed chat logs are more detrimental than exposed credit card information. I do agree that there are avenues to help with credit card theft and there isn't the same sort of thing for private chat data.
However, if I had the choice, I'd prefer "private" chat logs exposed over credit card records exposed. There might be some embarassing stuff, but I'd get over that. Just like I'd get over someone finding porn on my computer or any other embarassing event. Maybe I'm just not having the kind of conversations Vlad is having.
Sid @ Sep 9th 2006 2:53AM
There's always room for teledildonics references.
maikeru @ Sep 9th 2006 3:01AM
4.
It's kinda lame to say "serves the furfags right." Weird obsession or not, identity theft sucks for anyone.
Probot @ Sep 9th 2006 3:30AM
I want to make clear that this incident of identity theft or any real case of chat log theft is still very bad. I wouldn't want either to happen to me or anyone. My previous comment was just about which is worse in my opinion.
I also wasn't saying anything private can be made public without any problems. We have the right to privacy and that should be respected online and off.
raven ofsecondlife @ Sep 9th 2006 5:24AM
I would like to know immediately where you got that picture. Why? Because I am one of the 2 furs in that picture and I only know of one site that has ever shown that photo. If you are the author or admin of this board please email me where you got it.
Marshall @ Sep 9th 2006 6:10AM
Thanks for the link and extending the conversation along these lines. I do feel like behavioral data is the biggest issue here - there's a lot of, if not sufficient, protection for financial information already. The game has only just begun when it comes to stuff like this.
Ironic though, that you have been accused of posting intimate avatar pics without permission!
Zoë K. @ Sep 9th 2006 6:04AM
Hmm, not sure how to feel about that.
Not only do I play Second Life, but I have an anthropomorphic avatar. I try to stay as far away from the term "furry" as I can, though. I just figure why play a game as a human if you don't have to? It's supposed to be fantasy.
But yeah, Jebus... I haven't tried to log on in two days now. I wasn't even aware of this until now. First that whole thing with the veterans military records being ganked, and now the possibility someone I don't know has my credit card info.
God bless the human race, no?
radix @ Sep 9th 2006 6:47AM
of all the things on Second Life, you some how nabbed a babyfur screenshot =)
not everyday something like that catches my eye. nice, uh, fan service =3
radix @ Sep 9th 2006 7:00AM
And also...
#12, Raven, that picture is on Wikipedia for babyfur. Marked with the tag, Second Life. Looks like it wasn't that hard to discover.
raven ofsecondlife @ Sep 9th 2006 7:31AM
Yes it is, but I just wanted to be sure thats the only spot it was. I didn't give permission here, but there i did, so i knew it may have been bound to happen.
Spilt_Milk @ Sep 9th 2006 7:55AM
Raven, you posed something on the intraweb and are supprided it is showing up other places?
No wonder SL got hit. They seem ripe for the pickin.
;)
Spilt_Milk @ Sep 9th 2006 7:57AM
*surprised
/skulks off to a corner
Moogle @ Sep 9th 2006 8:03AM
Hah. I signed up for SL a week ago to see what it was about. Now I'm happy I didn't give them any financial data in exchange for 250 of their virtual 1/3rd pennies.
No one ever considers (good) security until they've been violated.
Rinku @ Sep 9th 2006 8:57AM
Friendly reminder, SecondLife clearly said that NO CREDIT CARD INFORMATION WAS COMPROMISED. Account names, passwords, and personal data (real age, name, and such) was the only thing in danger here.
Psaakyrn @ Sep 9th 2006 9:54AM
At the current point in online security, it's best to assume there's no such thing as good online security. I still wouldn't expect you to use one password for everything and change them regularly, but at least, there should be a segregation between important (e.g. bill payment, work data) and unimportant (online forums, games [as opposed to game payment]). Additionally if possible, use different passwords for important data. (I don't really trust, nor understand the need for regular password changes. Most online hacking does not rely on brute-force methods since they can be easily stopped and/or detected before proper progress is done, and instead uses software flaws to just obtain the data directly)
Dench @ Sep 9th 2006 10:21AM
Stop hating on the furries, it's the hackers you should hate.
Om @ Sep 9th 2006 10:44AM
Never really liked the fact that Second Life asked for your credit card details just to play a Demo. Although I'd like to check it out, I just cant bring myself to do it. I know CC details were apparently not breached this time, I'm still glad I had not caved in, because I'd allways have in the back of my head "perhaps they did".
Om
Evan @ Sep 9th 2006 11:10AM
Consider what could happen if some other sites got hacked:
If XBoxLive users' real identities got hacked, 12 year old kids might get beaten up for talking shit about "pwning" another player.
If MMORPG users' real identities got hacked, people could be murdered in real life for stealing a rare drop in the game.
If 4chan.org users' real identities got hacked, many anime fans would be exposed as pedophiles.
If SomethingAwful.com users' real identities got hacked, its basement-dwelling nerds would be too afraid to leave their basements and face the people they trash-talk about online.
Here's a thought: maybe people shouldn't do things online that they wouldn't do in real life. It would make XBoxLive a more mature environment, MMORPGs fairer, rid the world of "lolicon", and nerds might try to improve their own real lives instead of just bashing everyone elses.
Miles Edgey @ Sep 9th 2006 11:47AM
That's pretty fucked...
I signed up for a free Second Life nearly a year ago, with a Paypal account. I never even got a chance to play it, my video card was too shitty..Wonder what kind of a risk I'm in.
maikeru @ Sep 9th 2006 12:35PM
23.
Nah, it's not for a demo -- using your card just verifies your account now.
(In fact, you don't need a CC to sign up anymore. You can either leave your account unverified, or verify with a cell phone. of course, either way will leave you with either 250 in-game money or none at all, but better than nothing.)
Lekko @ Sep 9th 2006 3:19PM
People still use their real names? wow
PearOfAnguish @ Sep 9th 2006 5:16PM
Coupla' points...
I might be wrong, but I'm pretty sure archived chat logs aren't available through the SL client, you can only view chat records from your current session. And since a) the breach only covered account details and makes no mention of any other data and b) we assume that Linden Labs aren't recording private chats (right, guys?), it's unlikely anyone is going to have their private conversations broadcast over the net.
Also, I didn't quite understand why you would consider someone getting hold of login details more serious than credit card fraud, but I was surprised that you didn't mention the biggest risk, namely that people operate businesses in SL and own huge amounts of land and player-created content. If someone got the password and username of one of the big landowners they could cause havoc; deleting objects, removing land-rights, banning players...it could be extremely damaging for LL.
"Never really liked the fact that Second Life asked for your credit card details just to play a Demo. Although I'd like to check it out, I just cant bring myself to do it. I know CC details were apparently not breached this time, I'm still glad I had not caved in, because I'd allways have in the back of my head "perhaps they did"."
You don't need a credit card anymore and it's not a demo. You have full access to the world, the only thing you can't do is buy land directly from Linden Labs, instead you have to purchase it through one of the many real estate dealers. Many people play the game perfectly fine with just the basic account.
"I signed up for a free Second Life nearly a year ago, with a Paypal account. I never even got a chance to play it, my video card was too shitty..Wonder what kind of a risk I'm in."
Well considering that you don't have to give your Paypal password to LL at any point and you never even logged in, you're at no risk at all.
rockintom99 @ Sep 10th 2006 5:06PM
What *really* pisses me off about this is that you are required to change your password, and in order to do that, you have to use the secret question/answer thing. I mean, who the crap actually uses those? Every time, I use the answer "OIWEGHOWHVOSHDOHWEOIGHWOIG", so now I have to start a new second life account. Damn it.
Q Manning @ Sep 10th 2006 7:26PM
Second Life? Why not actually try and do something with your FIRST life!? AMIRIGHT?
::sigh::
skippyfox @ Sep 12th 2006 10:08PM
I see where Raven (#11) is coming from: Normally if a pic of you is shared you would prefer to know at the very least WHERE it is. But nobody is being accused or attacked for infringement. In fact I originally took the screenshot and uploaded it claiming "fair use," meaning anybody can use it as a demonstration of SL's content. Permission to share it was obtained merely out of respect and courtesy; no rule prevents tampering or distribution of the file.
In contrast, SL's policy promises not to share personal information, and the hacker who obtained some of it obviously broke the law.