Please create an account to participate in the Slashdot moderation system

 


Forgot your password?
Close
typodupeerror
×

Second Life Database Intrusion via Web 48

Posted by Zonk from the cybering-furries-have-to-pause-for-air dept.
Jim writes "A major security exploit has been discovered by Linden Labs, the company that operates Second Life. It turn out that on September 6th, an intruder gained access to the Second Life database. They have since closed the exploit. Today, September 8th, they finally announced this to residents and have cancelled all passwords. They have asked everyone to use the reset password form to make a password. This has resulted in mass confusion amongst residents on the forums who cannot remember their security question. Many more details below.
Calls to Linden Labs offices in California are directed to a message telling residents to change their password via secondlife.com/password.

According to the Second Life Blog:

"On September 6 we discovered evidence that an intruder was able to access the Second Life database through the web servers. The exploit was shut down on the afternoon of September 6 when we discovered it.

Detailed investigation over the last two days confirmed that some of the unencrypted customer information stored in the database was compromised, potentially including Second Life account names, real life names and contact information, along with encrypted account passwords.

No credit card information is stored on the database in question, and that information has not been compromised.

As a precaution we have invalidated all Second Life account passwords. In order to log-in to Second Life you will have to create a new password. Please access the log-in page at https://secondlife.com/password, and click on the "Forgot Password" link. An email will be sent to the email address you have registered with us. (Don't forget to check your spam filter!) Please click through the link in that email, answer the security question, and create a new password."
This discussion has been archived. No new comments can be posted.

Second Life Database Intrusion via Web More

Second Life Database Intrusion via Web

Comments Filter:

  • Does anyone else see a problem with this? (Score:4, Insightful)

    by Da w00t ( 1789 ) on Friday September 08, 2006 @02:39PM (#16068041) Homepage
    An intruder gained access to the database . So they're resetting passwords. Good.

    But they're using the "security question" ... which is also probally in the same database that was already compromised?

    and how is this fixing the problem? What exactly prevents the intruder from using the security question out of the database they compromised?

  • Re:Does anyone else see a problem with this? (Score:3, Insightful)

    by mdielmann ( 514750 ) on Friday September 08, 2006 @04:24PM (#16068774) Homepage Journal
    Well, I'll tell you my system. I make up words. They're made up, so I don't use them in regular conversation. They're pronounceable, so I can remember them well enough. They won't be found in a dictionary, because they aren't real. If I have 4 or 5, I should have enough for most secure systems. I use less secure passwords for stuff where I don't care if you get in - my slashdot account, for instance.

    What ticks me off are banks that only allow 4 digits for PINs. My old bank allowed 6, a 1 in a million chance, and harder to keep track of if you're trying to peek over my shoulder. 4 digits are almost impossible to hide effectively without wearing your tinfoil hand visors.

Slashdot Top Deals

It is easier to write an incorrect program than understand a correct one.

Close