Beta
×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

Second Life Database Intrusion via Web

Zonk posted about 8 years ago | from the cybering-furries-have-to-pause-for-air dept.

48

Jim writes "A major security exploit has been discovered by Linden Labs, the company that operates Second Life. It turn out that on September 6th, an intruder gained access to the Second Life database. They have since closed the exploit. Today, September 8th, they finally announced this to residents and have cancelled all passwords. They have asked everyone to use the reset password form to make a password. This has resulted in mass confusion amongst residents on the forums who cannot remember their security question. Many more details below.Calls to Linden Labs offices in California are directed to a message telling residents to change their password via secondlife.com/password.

According to the Second Life Blog:

"On September 6 we discovered evidence that an intruder was able to access the Second Life database through the web servers. The exploit was shut down on the afternoon of September 6 when we discovered it.

Detailed investigation over the last two days confirmed that some of the unencrypted customer information stored in the database was compromised, potentially including Second Life account names, real life names and contact information, along with encrypted account passwords.

No credit card information is stored on the database in question, and that information has not been compromised.

As a precaution we have invalidated all Second Life account passwords. In order to log-in to Second Life you will have to create a new password. Please access the log-in page at https://secondlife.com/password, and click on the "Forgot Password" link. An email will be sent to the email address you have registered with us. (Don't forget to check your spam filter!) Please click through the link in that email, answer the security question, and create a new password."

cancel ×

48 comments

Sorry! There are no comments related to the filter you selected.

Ack (2, Interesting)

GigsVT (208848) | about 8 years ago | (#16068036)

Don't slashdot their servers before I can change my password.

Yes, the fact that the blog runs on the same MySQL cluster as the main account passwords has more than one side effect. :)

Does anyone else see a problem with this? (4, Insightful)

Da w00t (1789) | about 8 years ago | (#16068041)

An intruder gained access to the database . So they're resetting passwords. Good.

But they're using the "security question" ... which is also probally in the same database that was already compromised?

and how is this fixing the problem? What exactly prevents the intruder from using the security question out of the database they compromised?

Re:Does anyone else see a problem with this? (5, Informative)

kcbnac (854015) | about 8 years ago | (#16068050)

You first have to click the link from the registered email address.

SO you'd have to have that randomly-generated link to make use of said security question.

Re:Does anyone else see a problem with this? (1)

Rolan (20257) | about 8 years ago | (#16068208)

Seems e-mail addresses were gotten, too. Hope nobody used the same password for their e-mail address as they did their SecondLife account..... If they did, then that e-mail link is pretty useless.

Re:Does anyone else see a problem with this? (1)

bateleur (814657) | about 8 years ago | (#16068280)

Passwords aren't generally stored except in encrypted form (and as I understand it that's what was done here) so that shouldn't make a difference.

Re:Does anyone else see a problem with this? (1)

muftak (636261) | about 8 years ago | (#16068335)

They might store passwords in plain text for support purposes, and even if they were encrypted a password cracker would probably get quite a few.

Re:Does anyone else see a problem with this? (3, Informative)

ichigo 2.0 (900288) | about 8 years ago | (#16068384)

The summary says the passwords were stored in encrypted form. Usually one would hash [wikipedia.org] the password, making it very difficult and time-consuming to decrypt the password.

Re:Does anyone else see a problem with this? (1)

Fweeky (41046) | about 8 years ago | (#16069680)

Better not forget the random salt, or your hashed passwords are pretty transparent to anyone with a CD of rainbow tables and a few minutes of CPU.

Re:Does anyone else see a problem with this? (1)

Jesrad (716567) | about 8 years ago | (#16070833)

From the associated FAQ:

Q: Should I be concerned that encrypted password and encrypted payment information may have been exposed? Is the encryption unbreakable?

A: We use an MD-5 hash (scramble function) and salt (additional data) to encode passwords and payment information


So it seems pretty safe. I'm glad they reacted the way they did and use good security practices for storing info, I wish they reacted faster, I hope they did not detect the intrusion through user complaints but instead through routine checks so that no one lost anything.

Re:Does anyone else see a problem with this? (2)

TubeSteak (669689) | about 8 years ago | (#16068365)

Depends on what kind of hashing/salting Linden Labs used for their passwords.

Even that isn't going to prevent a cracker from running brute force dictionary attacks against the users' e-mail addresses/servers .

Re:Does anyone else see a problem with this? (1)

recordMyRides (995726) | about 8 years ago | (#16068413)

It is easier for a lazy developer to simply plain text the passwords and secret question answers. The fact that the web developers left their website open to a sql-injection attack does not give me much confidence that they used a proper salt & hash.

Re:Does anyone else see a problem with this? (1)

jthill (303417) | about 8 years ago | (#16068357)

You first have to click the link from the registered email address.

Also in the database. Care to guess how many people have a standard password for low-security use (and don't know better than to use it for their email)?

Not that I'm swinging a bat a Second Life here — shit happens. People screw up. They fixed it.

Re:Does anyone else see a problem with this? (1)

faloi (738831) | about 8 years ago | (#16068667)

You first have to click the link from the registered email address. SO you'd have to have that randomly-generated link to make use of said security question.

Perhaps someone can educate me... Are the security questions in Second Life the same as most other things... You get a drop-down box with options for your question, then type in your answer?

Why do I sense a lot of phishing that's going to be going on? The user gets a phishy email, clicks on the link, does their security stuff and enter their new password, which obviously doesn't work. Then they get a real Second Life email thing, do the same thing and their password is changed. The average user would probably just use the same password on both links, and not think anything of it.

Re:Does anyone else see a problem with this? (1)

KDR_11k (778916) | about 8 years ago | (#16070977)

I find those drop-down box qeuestions to be way too insecure. We are repeatedly told not to use any words or data that can be found through social engineering (you know, like your birthday) yet those drop-down boxes contain only questions of such an insecure nature.

Re:Does anyone else see a problem with this? (1)

Megaweapon (25185) | about 8 years ago | (#16068084)

Hopefully they hashed+salted the answer to the question. Hopefully.

Re:Does anyone else see a problem with this? (4, Informative)

Southpaw018 (793465) | about 8 years ago | (#16068108)

Herein lies an additional problem with security questions. I don't answer them. I work for a nonprofit. The gentleman whose job it is (for lack of a better way to say it) to find rich people to donate money to us sits in the office next to mine. His data mining capabilities are beyond my comprehension, and I'M supposed to be "the computer guy" here. I sat down with him one day and with 15 minutes and $20 he had enough info about me to get into my bank account via the security questions feature.

The answer to my security questions on ALL websites is now something to the effect of 20-40 random characters.

Re:Does anyone else see a problem with this? (2, Interesting)

xtracto (837672) | about 8 years ago | (#16068652)

Herein lies an additional problem with security questions. I

Ya, security questions are stupid. I remember going into several chicks account on the ICQ times. The recipe was:

1. Search for interesting (age, city, status of profile) girl with ICQ search option.
2. Get into email page (preferably hotmail or yahoo mail or any other webmail) and go through the "forgot my password"
3. Bypass the "whats your age and other general info" filter, looking of courrse in their profile, it was so funny to look how they filled their profile with everything i needed.
4. Answer their stupid password (I liked how some sites had and still have 3 or 4 compulsory "questions" to be answered, and I loved more how people *really* answered them).
5. Profit (with the best thing is when this webmail pages would let you in the mail after doing that, or better yet just gave you the password in plain).

Nowadays is a bit more difficult (of course, if you dont have the general informaiton). But, as they say Google is your friend. And I am sure it might be possible (if you live for example in the same country of the "victim") to use other means to get more informaiton (white pages, etc etc).

What I usually do, is write something completely unrelated as the answer to the security question. It is in some way another password for me.

Re:Does anyone else see a problem with this? (1)

KDR_11k (778916) | about 8 years ago | (#16070983)

Pfft. Even my sister, a total computer illiterate person, managed to break several security questions. Many people will just answer you if you ask them the question they used for that. Others simply use Q:Wazzup? A:Nothing.

Re:Does anyone else see a problem with this? (2, Insightful)

mdielmann (514750) | about 8 years ago | (#16068774)

Well, I'll tell you my system. I make up words. They're made up, so I don't use them in regular conversation. They're pronounceable, so I can remember them well enough. They won't be found in a dictionary, because they aren't real. If I have 4 or 5, I should have enough for most secure systems. I use less secure passwords for stuff where I don't care if you get in - my slashdot account, for instance.

What ticks me off are banks that only allow 4 digits for PINs. My old bank allowed 6, a 1 in a million chance, and harder to keep track of if you're trying to peek over my shoulder. 4 digits are almost impossible to hide effectively without wearing your tinfoil hand visors.

Re:Does anyone else see a problem with this? (0)

Anonymous Coward | about 8 years ago | (#16072833)

Wells Fargo, at least at the time I did it, allowed me up to 12 characters for a pin when I requested a pin change. I don't know if the magnetic track on the card really supports that, however, so I'm taking it on faith that my extra digits aren't just truncated.

Re:Does anyone else see a problem with this? (1)

merlin_jim (302773) | about 8 years ago | (#16068231)

An intruder gained access to the database . So they're resetting passwords. Good.

But they're using the "security question" ... which is also probally in the same database that was already compromised?


ironically, I just got done going through the process when I decided to check slashdot lol.

In order to load the security question you have to click on a link with a UUID in an e-mail to your registered address - the attacker would have to have access to your e-mail as well.

Also I would note that the attacker got encrypted passwords - no word on how strong the encryption was, but there's at least even money he can't read them anyways.

Re:Does anyone else see a problem with this? (1)

Hydryad (935968) | about 8 years ago | (#16071023)

TBH that is not ironic so much as simply coincidental. On a related yet undoubtedly offtopic note, security questions aren't.

Re:Does anyone else see a problem with this? (1)

Breakfast Pants (323698) | about 8 years ago | (#16070504)

The thing that should really concern them is that the passwords are probably represented in the database as MD5 checksums. The problem with this is that the intruder can essentially run a dictionary attack through an md5 program and get a lot of common words (there are actually multiple gigabyte databases out there on the web for free, full of text of common password/md5 checksum pairs). With the plain text passwords of many users in hand (certainly not all), they can then go about trying these on banking sites, etc. using the usernames from the databases. MD5 checksum storage for passwords really is a weak link in a lot of systems. It works fine for very strong passwords, but it doesn't solve as many problems as people think. (Note: it doesn't matter whether it's MD5 or SHA-n or whatever for the attack I'm talking about, the attack doesn't involve 'cracking' md5, it simply relies on common passwords being enumerable.)

Re:Does anyone else see a problem with this? (1)

KDR_11k (778916) | about 8 years ago | (#16070989)

That's what salt is for, add a short string to the password before hashing and the hash is completely different and all hash lists are useless.

Kudo's for intelligent security actions... (0, Flamebait)

hcob$ (766699) | about 8 years ago | (#16068042)

Too bad the clients are mostly as bright as the a match.... in a blizzard.... on Mt. Everest.

Re:Kudo's for intelligent security actions... (1)

Anonymous Coward | about 8 years ago | (#16069258)

Kudo's what?

Oh, dear... (1)

creimer (824291) | about 8 years ago | (#16068056)

There's goes the planet. Time for a third life...

Are you kidding me... (1)

hxftw (996114) | about 8 years ago | (#16068087)

Its already been slashdotted.

Re:Are you kidding me... (1)

merlin_jim (302773) | about 8 years ago | (#16068282)

Its already been slashdotted.

I highly doubt that it's slashdotted... far more likely it's SLdotted - SL's website is never that fast anyways, and can crash / become unusable from load related problems completely and totally unrelated to slashdot, in my experience...

Wow! (2, Funny)

KitsuneSoftware (999119) | about 8 years ago | (#16068088)

Finally, it's good to see a company taking security seriously!

That said, and this isn't their fault, I'm cynical about the claim that credit card data wasn't compromised...

Re:Wow! (1)

planetjay (630434) | about 8 years ago | (#16068176)

Are you retarded? They're not taking security seriously. They never have. The fact that this happened proves it!

ObPA (4, Funny)

Rob T Firefly (844560) | about 8 years ago | (#16068267)

Secret questions can be troubling. [penny-arcade.com]

Re:ObPA (1)

Das Modell (969371) | about 8 years ago | (#16069383)

I hate security questions. They're totally insecure and I never use them anyway. I have a small set of different passwords that I use everywhere, randomly. Maybe this isn't the best possible practise, but I'm just some lonely guy on the Internet, and not working for a company or in charge of national security. At least I always remember my passwords or, failing that, try all of them until I find the right one.

Correct me if I'm wrong, but isn't it a bit insecure to have questions like "what's your mother's name" and expect people to answer honestly? For a would-be hacker, it wouldn't very challenging to find out the answer, would it (unless you're just some nickname on the Internet)? Therefore, I will just enter some random bullshit answer, which of course I can't remember five minutes later, and thus the security question is useless.

Re:ObPA (1)

GigsVT (208848) | about 8 years ago | (#16072357)

At least I always remember my passwords or, failing that, try all of them until I find the right one.

That always worries me when I have to do that.

Now that site knows all my passwords. They might even be sitting in some "invalid login" log file, in plaintext.

This could be serious (-1, Offtopic)

spyrochaete (707033) | about 8 years ago | (#16068358)

FYI Linden Labs requires users to input their credit card information (or billable cell phone number) in order to play Second Life, even if they spend no money. I'm rather pissed about this. Some details about what personal information resided in this database would be much appreciated.

Re:This could be serious (3, Informative)

CronoCloud (590650) | about 8 years ago | (#16068443)

I'm sorry that's incorrect. That used to be the case, but not anymore. While the "input credit information" page still comes up, you can skip it.

Re:This could be serious (0)

Anonymous Coward | about 8 years ago | (#16069308)

Actually, that's no longer true. For a while now, it's been possible to make accounts without a card (you still need to put one in to get money, though).

It took two days to cancel passwords (3, Interesting)

jstrauser (711857) | about 8 years ago | (#16068499)

This means users were vulnerable without notice of a breach during that time.

No CC or Cell phone # Needed anymore (2, Informative)

Anonymous Coward | about 8 years ago | (#16069237)

No CC or cell phone needed for a couple of months now.
Signups now on SL are only tied to a valid email address

Praise for Linden Lab (1)

mrdudy (1001366) | about 8 years ago | (#16069337)

I'm really impressed by the way Linden Lab has been handling this issue. Though the exploit seems to be not their fault, they are still humbly taking the blame. In addition, as soon as they figured the extent of the hack, they reported it to the users, and immediately changed all the account passwords in their systems. They didn't really need to do this, ie, they could have just issued a warning, but its shows that they care about the user's security more than their public image (no doubt this password change will negatively affect the community for weeks to months).

The way I see it, every one is going to be hacked. Its a fact. I just praise the way Linden Lab has handled the situation thus so far.

Sockpuppet? (1)

Argyle (25623) | about 8 years ago | (#16070673)

Praise?

C'mon this has got to be a plant. Even a rabid Second Life fanboy wouldn't be praising this security breach. Of course it's Linden's fault for the breach.

Re:Sockpuppet? (1)

bateleur (814657) | about 8 years ago | (#16070933)

There's also the fact that this is the only issue he has ever felt worthy of comment since signing up for his account.

I dunno, you think Linden would have enough money to shell out for a professional sockpuppeting service. It's not like they've been spending all their money on server security!

Re:Praise for Linden Lab (0)

Anonymous Coward | about 8 years ago | (#16070931)

You're not reading the SL user forums.

Actual SL users are up in arms that it happened at all, that it took two days to tell anyone, that the fix isn't really a fix (as noted, they database that was stolen likely contains the answers to the security question needed to reset accounts), and that their SL user data has possibly been connected to their real-life information, and their credit info may have also been stolen.

As you must know, many SL users take great pride in keeping their "real life" info out of the game, which is one of the reasons SL users tend to do things they'd never do in reality. But now, someone has stolen all they need to tie the SL to the RL. This is bad, bad, bad.

In my main SL account, my "real life" info is fake. I'm not me in the game, and my info on file isn't really me either. SL is the only place that fake info has ever been used or given to anyone. If I start getting spam or phishing with that info, then it will have been from this breach. That account is funded via Paypal so at least there's no credit card to steal.

holy hell (1)

Desolator144 (999643) | about 8 years ago | (#16069903)

If that happened in the game I play (Silkroad Online) people would be pissed. No wait, TURBO PISSED! I think that alone could change South Korea into "the bad half" cuz that's where they made the game. Last time I tried to change my password, it wouldn't take my answer to my secret question even though I triple checked it when I made it.

Hacking Second Life? I'm not worried... (1)

NexFlamma (919608) | about 8 years ago | (#16070940)

Wake me when a samurai-sword-wielding pizza man starts spreading ancient Babylonian curses.

Just curious why this is under Role Playing Games (1)

Andrew Kismet (955764) | about 8 years ago | (#16071458)

Second Life features very little G, and smatterings of RP based on individual players. It's no more of an RPG than the entire internet is...

Serial numbers are go! (1)

SirJorgelOfBorgel (897488) | about 8 years ago | (#16074867)

Those security questions often annoy me... especially if you have to chose from a predefined set. Everybody who knows me knows my hometown, for example. What kind of security question is that? If possible (e.g., the answer box has enough text), I usually use the 40-digit serial number from the box the first CD-R I ever bought came in. Don't even ask why I know that number by memory :D Back to Linden Labs, while they may have been at fault for not sufficiently securing the servers, the way they have handled it is commendable. Not many publishers of games like that would handle it like this. Hell, I'm sure MindArk (Project Entropia) wouldn't!
Check for New Comments
Slashdot Login

Need an Account?

Forgot your password?

Submission Text Formatting Tips

We support a small subset of HTML, namely these tags:

  • b
  • i
  • p
  • br
  • a
  • ol
  • ul
  • li
  • dl
  • dt
  • dd
  • em
  • strong
  • tt
  • blockquote
  • div
  • quote
  • ecode

"ecode" can be used for code snippets, for example:

<ecode>    while(1) { do_something(); } </ecode>