Second Life Database Intrusion via Web

Jim writes "A major security exploit has been discovered by Linden Labs, the company that operates Second Life. It turn out that on September 6th, an intruder gained access to the Second Life database. They have since closed the exploit. Today, September 8th, they finally announced this to residents and have cancelled all passwords. They have asked everyone to use the reset password form to make a password. This has resulted in mass confusion amongst residents on the forums who cannot remember their security question. Many more details below.

Calls to Linden Labs offices in California are directed to a message telling residents to change their password via secondlife.com/password.

According to the Second Life Blog:

"On September 6 we discovered evidence that an intruder was able to access the Second Life database through the web servers. The exploit was shut down on the afternoon of September 6 when we discovered it.

Detailed investigation over the last two days confirmed that some of the unencrypted customer information stored in the database was compromised, potentially including Second Life account names, real life names and contact information, along with encrypted account passwords.

No credit card information is stored on the database in question, and that information has not been compromised.

As a precaution we have invalidated all Second Life account passwords. In order to log-in to Second Life you will have to create a new password. Please access the log-in page at https://secondlife.com/password, and click on the "Forgot Password" link. An email will be sent to the email address you have registered with us. (Don't forget to check your spam filter!) Please click through the link in that email, answer the security question, and create a new password."

Ack

[GigsVT]

Don't slashdot their servers before I can change my password.

Yes, the fact that the blog runs on the same MySQL cluster as the main account passwords has more than one side effect. :)

Does anyone else see a problem with this?

[Da w00t]

An intruder gained access to the database . So they're resetting passwords. Good.

But they're using the "security question" ... which is also probally in the same database that was already compromised?

and how is this fixing the problem? What exactly prevents the intruder from using the security question out of the database they compromised?

Re:Does anyone else see a problem with this?

[kcbnac]

You first have to click the link from the registered email address.

SO you'd have to have that randomly-generated link to make use of said security question.

Re:

[Rolan]

Seems e-mail addresses were gotten, too. Hope nobody used the same password for their e-mail address as they did their SecondLife account..... If they did, then that e-mail link is pretty useless.

Re:

[bateleur]

Passwords aren't generally stored except in encrypted form (and as I understand it that's what was done here) so that shouldn't make a difference.

Re:

[muftak]

They might store passwords in plain text for support purposes, and even if they were encrypted a password cracker would probably get quite a few.

Re:Does anyone else see a problem with this?

[ichigo 2.0]

The summary says the passwords were stored in encrypted form. Usually one would hash [wikipedia.org] the password, making it very difficult and time-consuming to decrypt the password.

Re:

[Fweeky]

Better not forget the random salt, or your hashed passwords are pretty transparent to anyone with a CD of rainbow tables and a few minutes of CPU.

Re:

[Jesrad]

From the associated FAQ:

Q: Should I be concerned that encrypted password and encrypted payment information may have been exposed? Is the encryption unbreakable?

A: We use an MD-5 hash (scramble function) and salt (additional data) to encode passwords and payment information

So it seems pretty safe. I'm glad they reacted the way they did and use good security practices for storing info, I wish they reacted faster, I hope they did not detect the intrusion through user complaints but instead through routine chec

Re:

[TubeSteak]

Depends on what kind of hashing/salting Linden Labs used for their passwords.

Even that isn't going to prevent a cracker from running brute force dictionary attacks against the users' e-mail addresses/servers .

Re:

[recordMyRides]

It is easier for a lazy developer to simply plain text the passwords and secret question answers. The fact that the web developers left their website open to a sql-injection attack does not give me much confidence that they used a proper salt & hash.

Re:

[jthill]

You first have to click the link from the registered email address.

Also in the database. Care to guess how many people have a standard password for low-security use (and don't know better than to use it for their email)?

Not that I'm swinging a bat a Second Life here — shit happens. People screw up. They fixed it.

Re:

[faloi]

You first have to click the link from the registered email address. SO you'd have to have that randomly-generated link to make use of said security question.

Perhaps someone can educate me... Are the security questions in Second Life the same as most other things... You get a drop-down box with options for your question, then type in your answer?

Why do I sense a lot of phishing that's going to be going on? The user gets a phishy email, clicks on the link, does their security stuff and enter their new

Re:

[KDR_11k]

I find those drop-down box qeuestions to be way too insecure. We are repeatedly told not to use any words or data that can be found through social engineering (you know, like your birthday) yet those drop-down boxes contain only questions of such an insecure nature.

Re:

[Megaweapon]

Hopefully they hashed+salted the answer to the question. Hopefully.

Re:Does anyone else see a problem with this?

[Southpaw018]

Herein lies an additional problem with security questions. I don't answer them. I work for a nonprofit. The gentleman whose job it is (for lack of a better way to say it) to find rich people to donate money to us sits in the office next to mine. His data mining capabilities are beyond my comprehension, and I'M supposed to be "the computer guy" here. I sat down with him one day and with 15 minutes and $20 he had enough info about me to get into my bank account via the security questions feature.

The answer to my security questions on ALL websites is now something to the effect of 20-40 random characters.

Re:

[xtracto]

Herein lies an additional problem with security questions. I

Ya, security questions are stupid. I remember going into several chicks account on the ICQ times. The recipe was:

1. Search for interesting (age, city, status of profile) girl with ICQ search option.
2. Get into email page (preferably hotmail or yahoo mail or any other webmail) and go through the "forgot my password"
3. Bypass the "whats your age and other general info" filter, looking of courrse in their profile, it was so funny to look how they fill

Re:

[KDR_11k]

Pfft. Even my sister, a total computer illiterate person, managed to break several security questions. Many people will just answer you if you ask them the question they used for that. Others simply use Q:Wazzup? A:Nothing.

Re:

[mdielmann]

Well, I'll tell you my system. I make up words. They're made up, so I don't use them in regular conversation. They're pronounceable, so I can remember them well enough. They won't be found in a dictionary, because they aren't real. If I have 4 or 5, I should have enough for most secure systems. I use less secure passwords for stuff where I don't care if you get in - my slashdot account, for instance.

What ticks me off are banks that only allow 4 digits for PINs. My old bank allowed 6, a 1 in a million

Re:

[merlin_jim]

An intruder gained access to the database . So they're resetting passwords. Good.

But they're using the "security question" ... which is also probally in the same database that was already compromised?

ironically, I just got done going through the process when I decided to check slashdot lol.

In order to load the security question you have to click on a link with a UUID in an e-mail to your registered address - the attacker would have to have access to your e-mail as well.

Also I would note that the attacker go

Re:

[Breakfast Pants]

The thing that should really concern them is that the passwords are probably represented in the database as MD5 checksums. The problem with this is that the intruder can essentially run a dictionary attack through an md5 program and get a lot of common words (there are actually multiple gigabyte databases out there on the web for free, full of text of common password/md5 checksum pairs). With the plain text passwords of many users in hand (certainly not all), they can then go about trying these on banking

Re:

[KDR_11k]

That's what salt is for, add a short string to the password before hashing and the hash is completely different and all hash lists are useless.

Re:

[Anonymous Coward]

Kudo's what?

Oh, dear...

[__aaclcg7560]

There's goes the planet. Time for a third life...

Are you kidding me...

[hxftw]

Its already been slashdotted.

Re:

[merlin_jim]

Its already been slashdotted.

I highly doubt that it's slashdotted... far more likely it's SLdotted - SL's website is never that fast anyways, and can crash / become unusable from load related problems completely and totally unrelated to slashdot, in my experience...

Wow!

[KitsuneSoftware]

Finally, it's good to see a company taking security seriously!

That said, and this isn't their fault, I'm cynical about the claim that credit card data wasn't compromised...

Re:

[planetjay]

Are you retarded? They're not taking security seriously. They never have. The fact that this happened proves it!

ObPA

[Rob T Firefly]

Secret questions can be troubling. [penny-arcade.com]

Re:

[Das Modell]

I hate security questions. They're totally insecure and I never use them anyway. I have a small set of different passwords that I use everywhere, randomly. Maybe this isn't the best possible practise, but I'm just some lonely guy on the Internet, and not working for a company or in charge of national security. At least I always remember my passwords or, failing that, try all of them until I find the right one.

Correct me if I'm wrong, but isn't it a bit insecure to have questions like "what's your mother's n

Re:

[GigsVT]

At least I always remember my passwords or, failing that, try all of them until I find the right one.

That always worries me when I have to do that.

Now that site knows all my passwords. They might even be sitting in some "invalid login" log file, in plaintext.

Re:

[ocelotbob]

Like always, real life is much more hilarious than PA. [qdb.us]

Re:

[CronoCloud]

I'm sorry that's incorrect. That used to be the case, but not anymore. While the "input credit information" page still comes up, you can skip it.

It took two days to cancel passwords

[jstrauser]

This means users were vulnerable without notice of a breach during that time.

No CC or Cell phone # Needed anymore

[Anonymous Coward]

No CC or cell phone needed for a couple of months now.
Signups now on SL are only tied to a valid email address

Praise for Linden Lab

[mrdudy]

I'm really impressed by the way Linden Lab has been handling this issue. Though the exploit seems to be not their fault, they are still humbly taking the blame. In addition, as soon as they figured the extent of the hack, they reported it to the users, and immediately changed all the account passwords in their systems. They didn't really need to do this, ie, they could have just issued a warning, but its shows that they care about the user's security more than their public image (no doubt this password chan

Sockpuppet?

[Argyle]

Praise?

C'mon this has got to be a plant. Even a rabid Second Life fanboy wouldn't be praising this security breach. Of course it's Linden's fault for the breach.

Re:

[bateleur]

There's also the fact that this is the only issue he has ever felt worthy of comment since signing up for his account.

I dunno, you think Linden would have enough money to shell out for a professional sockpuppeting service. It's not like they've been spending all their money on server security!

holy hell

[Desolator144]

If that happened in the game I play (Silkroad Online) people would be pissed. No wait, TURBO PISSED! I think that alone could change South Korea into "the bad half" cuz that's where they made the game. Last time I tried to change my password, it wouldn't take my answer to my secret question even though I triple checked it when I made it.

Hacking Second Life? I'm not worried...

[NexFlamma]

Wake me when a samurai-sword-wielding pizza man starts spreading ancient Babylonian curses.

Just curious why this is under Role Playing Games

[Andrew Kismet]

Second Life features very little G, and smatterings of RP based on individual players. It's no more of an RPG than the entire internet is...

Serial numbers are go!

[SirJorgelOfBorgel]

Those security questions often annoy me... especially if you have to chose from a predefined set. Everybody who knows me knows my hometown, for example. What kind of security question is that? If possible (e.g., the answer box has enough text), I usually use the 40-digit serial number from the box the first CD-R I ever bought came in. Don't even ask why I know that number by memory :D Back to Linden Labs, while they may have been at fault for not sufficiently securing the servers, the way they have handle