High profile virtual reality game Second Life reported today that one of its databases containing unencrypted user information was breached two days ago. The company confirmed that this is the first time user data has been breached since the service opened for public use in 2003. The database did not include customer credit card numbers, a requirement to register for the game (correction, that’s not the case anymore), as they were kept in a different database. The breached database did include unencrypted names and addresses, and the encrypted passwords and encrypted payment information of all Second Life users.
A company representative wouldn’t tell me whether behavioral or attention data tied to users was exposed in the breach, but did say that to the best of their knowledge none of that data had been captured. Such data could include information about embarrassing activities in Second Life that users may not like to have tied to their real life selves. There’s a lot of very cool things that go on in Second Life, but there’s also a lot of sex and gambling. Update: Vladimir Cole at AOL’s gamer blog, Joystiq, a better authority on the particulars here than me - concurs (emphasis mine). “To put a finer point on it,” he writes, “what happens when archived MMOG chat logs are breached? It’s going to be ugly, like AOL ugly: ‘I swear honey, that Furry [avatar] meant nothing to me. It was totally just research for my new book. I’ll sell the teledildonics equipment on eBay first thing tomorrow.’”
Virtual worlds are big, they’re going to get bigger, and we should be demanding protection of user data from those worlds now. There’s already one politician said to be a possible US Presidential contender campaigning in Second Life, you can participate in American Cancer Society fund raisers, hang with the American Library Association or participate in substantial daily commerce. There are major corporations launching advertising initiatives in Second Life and consultancies forming to facilitate such activities. Acts of violence in a game that prohibits it are being reported with increasing frequency. This is serious stuff.
Apparently our Second Lives aren’t as separate from the rest of the world as we might have liked to think. Obviously no company is immune from such security attacks, but there’s something about the supposed freedom from consequences in Second Life that this calls into question. It’s been a rough week for privacy, considering the Facebook explosion, Craigslist sex baiting and HP spy scandal.
The security breach occurred on Wednesday and users were required to change their passwords at 9:30 am PST this morning. Mark Wallace at 3pointD writes, “Oddly, it seems that no notice was sent to users flagging the problem.”
One source told us that the entry into the database appears to have occurred via an exploit in Tikiwiki, a third party open source collaboration service that the company has since stopped using. The company was hesitant to disclose information about the breach, the data put at risk and the company’s architecture for fear that such information could make future exploits easier to perform.
Though far from the largest virtual reality game online, Second Life has gained loads of media attention (including the front cover of Business Week) because of the diversity of participants and the dynamic economic activity that goes on in the game. There are an estimated 3,000 users who make at least $20,000 per year from businesses in Second Life and the company’s founder recently said that between seven and eight million US dollars in real money changes hands each month in the game. Investors in Linden Lab, the company behind Second Life, include Amazon’s Jeff Bezos, eBay founder Pierre Omidyar and Globespan Capital Partners.
Though this wasn’t the first time a virtual reality game has been hacked and user data has been put at risk, it’s notable because of the number of nontraditional gamers who participate in Second Life and the discourse around it in particular as a symbol of online life to come. The number of registered Second Life users has doubled over the last two months.
How is this web 2.0?
TechCrunchReader: Web 2.0 is about sharing as much personal and sensitive information about yourself with as many websites as possible so that criminal elements can steal that data. These Web 2.0 companies are notoriously inept at being able to monetize the data they have but cons know exactly how to steal all sorts of pesonal data and cash it in.
Web 2.0 is evolving into something great. Everything great takes time to be perfected.
Yep it’s great. It’s never been so easy to perform identity theft, rip off people’s bank accounts and steal credit card numbers! And to meet easy chicks!
This is a bit inaccurate, as credit card numbers are not required to register for this game. CCs only have to be entered if you want to visit the adult areas or purchase items/real estate/linden dollars.
Jorge - thanks for the note. That must have changed since I first registered, i just went in and did it again and see that you can start with no linden dollars w/o a CC number.
Coverage on Slashdot is more favorable in tone:
From the mouth of slashdot user “mrdudy”:
I’m really impressed by the way Linden Lab has been handling this issue.
Though the exploit seems to be not their fault, they are still humbly
taking the blame. In addition, as soon as they figured the extent of the
hack, they reported it to the users, and immediately changed all the
account passwords in their systems. They didn’t really need to do this,
ie, they could have just issued a warning, but its shows that they care
about the user’s security more than their public image (no doubt this
password change will negatively affect the community for weeks to months).
The way I see it, every one is going to be hacked. Its a fact. I just
praise the way Linden Lab has handled the situation thus so far.
James, is that typical of the comments over there? Different discussion going on at Digg.
It’s a tough situation, but it’s an interesting one I think.
I like the design of the web 2.0
Web 2.0 looks interessting. i like the look. I hope the security will be as good as well!
People will always be nosey and nosey people with technical abilities and bad intentions will always pose a privacy threat.
Credit card numbers were, in fact, breached. But those are encrypted. From LL:
“The database accessed includes customer account information, including Second Life account names, real-life name and contact information in unencrypted form. Account passwords and payment information (consisting of credit card numbers and Paypal transaction IDs) are stored in this same database in encrypted form.”
Forget the CC issue, I’m wondering when we’ll hear about the first case of blackmail. And what will that case be? I imagine there are more than a few people out there who’d pay money not to have their virtual activities made public.
if anything, this shows how important it is to base our virtual worlds on open, decentralized & standardized structures. I love SL, but if LindenLabs really wants it to become a global, wide-spread “web.3d”, it better has to open it up soon! (more on this: http://nonsmokingarea.com/blog/?p=326)
Nice to hear that apparently Linden is learning about customer service from some of the comments above… I’ve tried for weeks to get a password reset as I forgot the last name for my second life character and cannot even get a response to my repeated emails… Perhaps the hackers are some similarly frustrated/pissed off customers - in which case, congrats Linden, based on my experiences you earned it
I agree with snowleo about the level of customer service. I DO remember my name, my pet’s name, the last amount billed, etc. and still cannot get my password reset. I have just left the 800 number a fourth voicemail and have not had a return call from a CSR to help get into Second Life. I’m not sure that Linden earned their troubles, but the level of customer service is the worst of the “net 2.0″ companies that I have seen.
I had my HDD crash a couple of weeks ago and so with that all of my login info for my secondlife account that I had just opened up. Anyway, I can not remember my last name either (god forbid you get to choose your own). I have called, e-mailed and I get nothing in return. I expect to see, however, charges to my credit card soon for my monthly billing. This, is ridiculous. I was already thinking about cancelling because I was not overly impressed with the “game”, but now it is a definate. That is IF I can ever cancel it, of course.