Update: Resetting Passwords
Saturday, September 9th, 2006 at 6:54 AM by: Robin LindenLate last night (early this morning?) the web team completed a change to the code that will give you a few more options for resetting your passwords on the website. If you a) don’t have access to the email address on file with us (or the address doesn’t exist), or b) can’t remember the answer to your security question, read on…
Go to the password change request page and enter your Second Life name. You’ll get a page that says information was sent to your email (Instruction Sent). Choose the link at the bottom of the page that says: Email no longer active? Click here.
You’ll be taken to a new page that will give you several options for validating your account.
If you aren’t forwarded to the new page, or if you are but none of these options work for you, we will have Lindens available on Monday who can help you on the phones.
September 9th, 2006 at 7:18 AM
So how does this stop people from entering avatar names they know the SL home location of (one new validation option), and thereby gaining access to their accounts?
September 9th, 2006 at 7:38 AM
This may work for some but will not work if your password has been locked because you failed the security questions and you have been told to call on Monday.
September 9th, 2006 at 8:21 AM
This was a great, and very welcome, addition! Thank you very much for doing that page, I hope that it remains in effect forever…
Still, there are some glitches, and perhaps I may ask what is supposed to be the “last amount charged” on a free account, where there was never any payment registered to LL? I assumed “0″ in ignorance, and managed to lock out one of the free accounts I do for RL presentations
It’s not *very* important, though, I can get back to your phone line in a month or two when things are more quiet at LL, and in the mean time, I have to remember to set myself to “Busy” and wear a titler saying “I’m doing a presentation in RL, please do not disturb!”, so I’ll manage to survive hehe.
This was an excellent idea. I also liked that the questions rotate somehow, they’re not exactly the same, and new ones pop up (apparently randomly), so someone trying to “pre-guess” them will have a hard time doing so.
September 9th, 2006 at 8:37 AM
These options are
* answering the security question users created during signup
* knowing the last billed amount of US$
* knowing your home location
While there are probably plenty of people whose E-Mail address no longer is the same as the one they specified when creating their account, these options are risky for everyone else too. It doesn’t take much for an attacker to guess the home location of somebody (especially when attacking people with their own sims, who most likely have the home location set to their sim). Also it’s only possible to set your home location to land you/your groups own, which can be retrieved from inside SL (people ARE keeping databases of this) as well as Infohub locations (dictionary attack) - so setting your home location to something hard to guess is not a viable option (also there aren’t that many regions available, which might allow for a dictionary attack with all the regions - depending on how many attempts the request page allows).
The last billed amount is guessable (is there a limited amount of times you can try this form?) again by simply using a dictionary of a very few numbers (the standard monthly subscription costs, plus the rent for X island sims).
Furthermore the security question includes the choice “town you were born in” which in many cases could be the town in which people still live - which was included in the compromised data.
As long as these extended recovery options are available, I’d be very concerned when receiving a password recovery email which I did not request myself.
September 9th, 2006 at 9:58 AM
Yeah, I think the “Home location” field is too easy to guess, as are in fact all the other ones, like Ezhar said.
Just remove them, people should keep their account info up to date anyways…
September 9th, 2006 at 10:13 AM
To me, the main problem doesn’t seem to be my address no long working, or that I don’t remember the security answer. Main problem is, starting from yesterday 10AM SLT (then a few minutes after passwords lockout) I applied 5 or 6 times to the Password Change Request Page, then I waited for the full 2 hours each time but I haven’t received any instruction mail yet.
What’s in your experience out there? Did someone actually receive the instruction mail? Many? A few? What LL know about that?
If someone would give me the instructions, I would stop applying all the time and adding to the total mess. I guess many others are in the same situation.
September 9th, 2006 at 10:58 AM
Scorpio Galatea: You are incorrect. My password was locked, however, after using one of the new options I got my password reset and was fine. So no, your password can still be changed through the new options even if your password was locked if you forgot your security question answer.
September 9th, 2006 at 10:59 AM
So has anyone gone through to see what additional security requirement is in place if someone enters someone elses AV name, correctly guesses their homepoint (because they know where their house is), and then selects the ‘I don’t have access to the old email account’ option to bypass the true account owner’s email? I think I’m going to go in and randomly reset my Homepoint Sim until I know for sure and all this blows over.
September 9th, 2006 at 11:06 AM
Is there any chance for me to request on answering the resetting passwords again? I was having internet connection problems thinking that it it slowed down or disconnected that I reloaded/refreshed the page too many times.
I didn’t know that there are only 4 responses to the resetting passwords only.
September 9th, 2006 at 11:15 AM
Ezhar: I’m just guessing here, but I gather from what Gwyneth said that if you miss one of these new questions just once, your account gets locked out.
Anyway, I agree some of the new questions are a tad lax… so quick, go reclaim all of your alts! I’m also happy because I just reclaimed an alt that I wasn’t able to get back before.
September 9th, 2006 at 11:26 AM
In the various posts made last night, Robin mentioned that the security question/answer data was part of the data that was comprimised. Given that you are allowing people to bypass the email verification step, and selecting the security question/answer to reset passwords, what is to stop the intruder from resetting anyone’s password by using their security answer and bypassing the email step? Also, I’d like to know if any of the friends list data, SL home location, or payment transaction information was also stored in the database the was broken into? Considering friends and payment transaction information is available from the website while, I would figure it would be in the same database that was attacked. If so, those methods are just as faulty as the secret question method. I realize you’re dealing with the back lash from people that don’t remember email addresses, used fake email addresses, or can’t remember their secret question, but at this point, you are putting the entire SL user base in jeopardy to help those that have forgotten. Any and all content, L$ balances, and land holdings are at risk if you continue to allow people to bypass the email verification and use data that is now potentially in the wild. What is Linden Labs going to do about the on going security holes in their system?
September 9th, 2006 at 11:30 AM
I was one of the people who no longer recalled my never-before-used Secret Answer. I was concerned with how long it would take to get through to LL next week to clear it up.
These new verification options saved me a major hassle. Thank you big time. Very helpful.
Insofar as people’s security concerns with it, it seems that it would require someone to also have access to your e-mail account in order to get to that page. So unless they have full access to your e-mail they wouldn’t even get a chance to guess at previous billed amount, friend names, etc..
September 9th, 2006 at 11:34 AM
This is not secure, too many people that know the user will be able to easily guess one of the answers. How about require that the old password be entered before answering questions? That would be the most secure option. I don’t see why it can’t be implemented or why it already hasn’t. Please do so before people start gaining access to others accounts.
September 9th, 2006 at 11:36 AM
Not to mention, I hope this is ONLY available to those who have not yet reset their password.
September 9th, 2006 at 11:47 AM
Great, well as a casual SL’er I’m now blocked out of my (one off payment) account (it didn’t accept my security questions). I’m not in the US and I’m dammed if I’ll hang around on hold for a toll number… I guess SL is going to have a population crash as I can’t be the only one having re-authentication issues. Farewell SL, maybe I’ll try again in another life.
September 9th, 2006 at 11:48 AM
I have been locked out as i did not get a question right in security check. Although I know know the answer i cannot get back as I hav ebeen locked out.
I live in the UK. SL has given me a phone number in UK to phone to reset my password.
I have checked with British Telecom UK THIS NUMBER DOES NOT EXIST
September 9th, 2006 at 12:18 PM
Any one else have the security bulletin email from LL flagged by AV as having a malformed attachment? F-Secure stripped the attachment from my message.
Have servers been checked for code which may be pushing additional malware via email from LL??? Might be “normal” but after a compromise anything is possible.
September 9th, 2006 at 12:18 PM
I’ve been a Sl’er for over a year. I just got the notice thatmy account information has been compromised. I got the message to come to second life and change my password.
Problem:
1. At the web site, only SOME links work.
2. None of the links to My account or Resident Login work (they all time out)
3. From reading the blog, its unlikely that I will remember which email address I created an account with, as I never get any announcements or updates about SL in any email accounts I have. (Hint, send an email update on the situation to all known accounts, as this will give people a chance to identify which of their numerous email accounts they used to become a SL resident with)
4. I have a free account, so I would have no idea what the last charged amount will be.
5. My home location? are you kidding me? It’s taken a year just to roam around and find things and get a feel for what there is on second life, let alone know the name of where my avatar starts :-S
September 9th, 2006 at 12:24 PM
So those of us who locked themselves out as someone mentioned above now have to wait until Monday? Seriously, that sucks in terms of service.
September 9th, 2006 at 12:30 PM
How do we get back into the Residents area of the web site? I seem to get into an infinite loop of password-reset demands!
September 9th, 2006 at 1:19 PM
I am italian and i don’t want call in US for have my password again… Its not my error if they have changed password and i don’t want spend huge money for that call…
I am really dissappointed i have whait long time for have an email… But not replyes…
I have give some money in sl for puchase LS and i can’t whait again….
I am european i have a european version of Explorer and i can’t see the other option for validation…
I’m whaiting for a response..
Please give me my email for notification :°°
September 9th, 2006 at 1:33 PM
i dont believe asking for three friends first names is a good question Linden i cruised thru all the questions and didnt no the name of some guy id met the previous night or to and didnt remember now what?
September 9th, 2006 at 1:34 PM
I did get the instruction email back, but I couldn’t find the link to change my password, does anybody know how this works?
and if I forgot my security question, what should I do? I am from UK, make expensive calls?
September 9th, 2006 at 1:41 PM
You have to read the email in order to get the link for the reset page. No?
So why is everyone getting paranoid about having someone gaining access to their account through the home location field? If you are that scared, then you really need to change your email’s password or do something that makes you feel better.
September 9th, 2006 at 2:50 PM
Thank you for the hard work and concern LL!!! You guys rock, I wuv you all. HUGZ1
September 9th, 2006 at 5:59 PM
May I recommend skype?
Also, I can see how this could have been avoided. Since apparently it was an exploit with the tiki software, they should have made an individual user account instead of using one that has access to every table on that database. So, maybe this is a learning thing. When I read their security builliten, I can safely say that you shouldn’t worry at all. Your CC information (if it /was/ exposed even) would be highly encrypted with MD5 and a salt.
MD5 is used to encrypt things like passwords, and can take a long time to decrypt. It is very fast to encrypt, so it is used to store passwords in a database. An example, if I stored the “md5″ of the word “password” I get the md5 of “5f4dcc3b5aa765d61d8327deb882cf99″ - but if I was to add a salt (extra data added on to the sensitive information) I get a whole different thing. So if I was to get the “md5″ of “,password” I get “2fef368e2dccb8bdae1b46e857646e71″ - notice how different the last two hashes where, but how one character changed everything.
If they were to gain access to this database, and was able to dump ALL of it (which is a lot of data, and can take a LONG time to download,) a cryptogrophy expert would have to brute force the hash least 16 numbers long, 4 dashes if they included them, and some extra data which can be as long as they want. Brute forcing means to go through every single combination of letters, numbers, symbols, even binary data in many lengths of data until the hash of the combination equals the target hash. So in theory, if you were to do 100 calculations a second, it would take a couple hundred years at least (if you are lucky) to decrypt it. Usually, to go through every combination possible (up to a hundred characters) - it can take a millinea to go through every possible combination.
So in my eyes, I wouldnt spend 4 hours of my time worrying about it. I really appreciate the fact that LL did do a reset of all of the passwords because they may not be salted. To be extra safe, change your password to something that it wasnt before. To be sure that your password is a good one, go http://www.securitystats.com/tools/password.php for a strength meter and advice on how to create a secure password.
September 9th, 2006 at 6:24 PM
On 4:57 PM I wrote, I cannot login on the website with the new password. But (shame on me!) it was my fault, had the cookies set off!
September 9th, 2006 at 7:02 PM
Probably the best thing to do if you are locked out is wait two or three days and start calling on Tuesday. Can you imagine the crush of phone calls they are going to get on Monday? I think Linden Labs should allow people to be able to access the online password reset page AGAIN six hours after you accidentally lock yourself out. Six hours is long enough to be locked. That will save them a lot of phone calls. Consider that six hour thing please, Linden Labs! I’m not locked out but one of my friends is and is very pissed…and it sounds like a lot of other people are too.
September 9th, 2006 at 7:29 PM
“I wanted to start an event inside SL to discuss these things (as far as one can enter SL). But with the new password I can enter to the game, but I cannot log in to parts of the SL-website that need a login. Does anybody have similar problems? ”
I think you can only access the forums now if you have a paid account or your account info is on file.
I’m also screwed till monday because I just started SL back up and made alot of acquaintences in the process but the first attempt, I knew all three names except I misspelled one because she spelled her name differently than what it was supposed to be. Second time, I could remember two out of three friends first names and the other attempts same thing.
If I send you an email with proof of three friends on my friends list, would that be proof enough??
I do thank you for bringing this up as a solution as it will make mondays less busy for you but it just didn’t work for all of us.
Also I have a suggestion.
If someone cancels their account completely, please remove that person from the database along with their credit card number and personal information as it is no longer needed and if most of the people that cancelled years ago knew that their cc info was still on a database for a MMO, platform or whatever you wish to call it, they wouldn’t be too pleased.
Mistakes are made and things like this happen but stuff like that doesn’t boost confidence.
Now I’m sure you’re sick of all of the complaints so sorry to add more but I’d like to say this.
Secondlife, Phillip and all of the lindens, thank you for your hard work and thanks for making such a neat platform that adults can enjoy. To me secondlife is not only a platform or an MMO, it’s in fact one of the only MMO’s adults can relate to and have a good time or just be creative. No matter how much whining, nagging and complaints come from customers, they do like Second Life and if they didn’t care they wouldn’t say a thing.
I’m sensing that with the forums closing that there must be a negative impact on your minds and maybe a decrease in morale or a sense of just giving up because that’s what happens when companies get bombarded with negativity but keep your heads held high and know that you’re all brilliant.
Now for everyone concerned with cc info security. The good news is that it was encrypted. If the hacker did not download the database (very possible) chances are you are safe but go ahead to clear your mind take the necessary steps to protect yourself from identity theft and remember this problem is everywhere you turn now. If you go to the hospital, who knows what the person taking your cc info’s intentions are or your social security number…it takes an amount of trust to hand out such information and we do it every single day!
It’s not your fault as a customer and you have every right to be upset but hopefully this will make LL think more about protection, privacy, getting rid of all information after someone cancels their accounts, hiring more people involved with securing their customer’s privacy.
I don’t think phone calls should be the end all be all of options. I think emails would also suffice. This would be good for international users.
September 9th, 2006 at 8:24 PM
Surely CREDIT CARD details are just as vulnerable. The details about the attack state that encrypted password and encrypted credit card details were stolen. If all this trouble to change passwords is really necessary then why aren’t credit card details a concern. I can think of three scenarious:
1. Passwords are encrypted with much weaker encryption than credit card details, and are much easier to break, so therefore passwords MUST be changed, but credit card details are presumed to be safe.
2. Passwords and credit card details are encrypted similarly, and therefore our credit card data has been successfully harvested.
3. Passwords and credit card details are encrypted similarly, but this whole password resetting was really unneccesary.
Anyone know how safe our CREDIT CARD data really is?
September 9th, 2006 at 9:25 PM
Look i put in old pass it sends me to a web page that says call. Work your hours so cant just get up and call. Then i ask for help on your help line and they send me to this web page that again sends me to that web page i went to before and again gives me a number to call that i cant reaach. A bit to much trouble if ya ask me. Since my charcter is gone it seems ill have to go back to playing everquest. Let my room mate know o her email if there is a solution or dont if you dont care. Thanks for the annoyance.
September 9th, 2006 at 9:34 PM
I’ve been trying for hours to get a reply to my request just so i can get back on to SL, I recently changed my email address and didnt have time to do anything before this outbreak, so I was wondering, if any Lindens read this, if someone could send me another request, proivded they’re sending them to non-paying members… not exactly the most understandible things in some rights… i realize they require money to run this, but if the people on here dont have any money to cover anything other than what they have already, how are we going to pay you? so if you would, someone please send me a password reset, I’m not one of the people here to gripe about the lack of security, anyone can hack anything with the right amount of experience, so please i would appreciate an email of some sort… I just want to see a few friends again…
September 9th, 2006 at 10:20 PM
Hey whatsup
Short Version:
New password not working: Try IE instead of Mozilla for your password change.
Longer Version:
I had trouble changing my password. Although I received the email, I clicked the link, made the change and the website reported my password was successfully changed and that I could now log into the Second Life.
Whats odd (as a couple above noticed) is that new password didn’t work. I waited but it still didn’t work. I tried another email and it reported the password was successfully changed, etc. But no luck. Two hours. Still new password didnt work.
I decided to try using IE instead of Firefox for the new password entry. (Pasting the link from Email into IE)
New password worked. :>
Hope this helps someone! :>
September 9th, 2006 at 11:29 PM
Carefully reading the blogposting at the top of this page and all of the above comments, it is clear that:
1 - I am not alone in having a working email address (to which support have recently sent me a communication), having used the password site as advised to request a new password (several times now), and have not yet received the relevent email with password and instructions.
— This means that that function IS BROKEN - IT DOESN’T WORK (for many people at least) —
2 - The Linden team are either unaware that this is the case, or are oddly refusing to acknowledge that it is the case? Why? That worries me. The above blogpost appears to be blaming us for the failure of this function - they are saying we have either don’t have access to our email or we can’t remember our security question. There is no acknowledgement that the function is not working THEIR END (for many people at least). WHY?
I am very reluctant to go through the process here advised as they do not seem to be addressing my issue and I don’t want to risk forcing a situation where I have to call them from South East Asia.
If it is true that there is still some shuffling of Lindens in the accounts of residents who are unable to log on, then the whole system needs to be shut down NOW. Or at least all financial functions frozen.
It’s not the problems that matter - it’s how you handle it.
We need some clear and unambiguous information here. Simple, honest updates about what is happening is really not a hard, nor time consuming thing to do. Type a few words - hit the post button. Treat us like adults (not to say, paying customers, whose money you are supposed to be looking after).
I understand this was an unexpected, complex and possibly devastating problem, and that your team may be stretched to the limit. But take some time out to address the concerns in these comments. There are a lot of people very worried. And be straightforward, please. People will be more patient and understanding if you are. Thanks and good luck.
MD
September 10th, 2006 at 12:17 AM
After forgetting my security answer, I waited a while, and then went back and was presented with a new set of questions. Upon answering one of the other questions correctly the first time, I was let back in. Very simple, very smart way to handle it.
September 10th, 2006 at 1:18 AM
UK, Australia, Canada, toll-free numbers
There are toll-free/freephone numbers if you live in one of these three countries (Canada shares the US number). Felder, and anyone else in the UK, ring 00800 72200010 (you need both the zeros).
If you’re not in the UK, go to the Call Us page, and there’s a link to the other international numbers.
But I have to ask - why are there toll-free numbers only for these three countries? I have no axe to grind - I’m in the UK, and I’m back in SL - but it seems unfair.
September 10th, 2006 at 2:23 AM
What is this crap that some ppl came reset and others have to wait till monday only to probaly get stuck on hold while some non-existent person who really doesnt care about you or your time puts you on hold…i hardly play the game nowadays and im thinking this is icing on the cake… to just cut my losses now and move back into RL……
September 10th, 2006 at 2:46 AM
I think these comments will be very useful for LL staff to read as they indicate some shortcomings in the ability of LL to offer efficient customer service. These are the main points I can extract:
1) SL started as a game but now LL and users want to use it for serious things. This requires a real, professional, 24/7 customer service and support helpdesk. Most users are upset because to reset their passwords they have to wait to Monday when, evidently, there will be so many calls that most users will only find busy lines.
2) Many people from outside the US complain that they cannot call LL customer support because it is too expensive, they don’t speak English well enough, or they live in a timezone from which it is impossible to call the US at business hours (this is another reason why customer service must be 24/7). I think LL should start dedicating more attention to the requirements of non-US users. This requires also language localization and local support call centers. Of course these things cost money, but this is business: one needs to spend money to make money.
3) It is normal that when nobody paid any attention to Second Life there was no significant security risk. But now that SL is always on the press, with businesses and even politicians moving in, there can only be more and more attacks and I believe LL should address security like a bank. In particular, for things like password recovery, it is important to find a suitable tradeoff between security and usability. I wish to recommend that LL hire a professional IT security firm with experience in the banking and financial services industry.
3) We tend to forget the answer to “security questions”. I certainly remember the name of the street where I was born, but did I use only lower case? Did I include “street”, “avenue” or “square”? This can make the difference between success and failure when only a limited number of attempts is allowed. I believe security questions are only effective when users are allowed to create their own security question.
4) As it was mentioned on the 3pointD blog, the coming 3.D web is too important to be run by a single company, even one so good as LL. With a single point failure so big, it will be difficult to persuade major businesses and administrations to invest money and resources. Clearly a robust, secure and usable 3.D web must be based on a distributed and redundant architecture with open standard, interoperable and redundant components. This was the choice of DARPA when today’s Internet was planned in the 70s.
September 10th, 2006 at 3:03 AM
Want to secure your pass ENTER FALSE INFO 3 TIMES and it will say call them to reset it then you can relax
September 10th, 2006 at 3:14 AM
For those of you who are saying you are unable to call the US because of a toll…
If you have a headset or can get your hands on one, download Skype. At the moment, Skype lets you call out to ANY US number for free.
September 10th, 2006 at 8:09 AM
Honestly!!!
When all of this happened, I was able to log into my alt accounts, but not my main account because I mispelled the answer to the security question. I live in the UK, but since I had a few Lindens in my account, I felt sure that I would be calling San Francisco Monday afternoon. What an inconvenience!!
Know who I blame?……..Myself.
I got the answer to the question wrong. The reason there are security questions is to keep our accounts secure. Yeah, it’s a hassle for everyone, but we should remember where we put the answers to our security questions….if we wrote them down. They even provided an out for those of us who forgot our answers. The answer to the home question…..change your home til this blows over. That’s what I am going to do.
I am thankful that Linden Labs took appropriate measures when they spotted the problem. Way to go, guys. You definitely have a thankless job ahead. You do have my appreciation tho!!! ^_^
September 10th, 2006 at 1:53 PM
Hello, im here to post about this. I myself along with others are very angry at LL, just because they should have a better security. however they shouldnt have givin us all those options without some BOLD print saying you only have to pick one. most of us are more concerened about getting our accounts back than reading fine print. So i do blame myself for messing up however, LL is responsible for this mishap and im willing to bet as soon as i get back on alot of my SL is going to be messed up. so thanks to myself for failing to read the fine print, and GOOD JOB LL for being irresponsible with Security and Screwing up my SL and SL relationships!
September 10th, 2006 at 2:46 PM
Jade Whitcroft Says: “Scorpio Galatea: You are incorrect.”
Jade, I am sorry but the revised password setting introduced after the initial uproar does NOT work for me ! As soon as I use the link where the email is no longer associated then I expected to get the new reset page. I dont. I get the same old ‘Call us on Monday to recover your password’. If it worked for you and others then I am pleased.
If the Lindens had reset the lockout after they reposted the revised password change then I and others might have stood a chance. Makes me dread just how much ‘Your in a queue please wait Musak’ I am going to have to endure when I attempt to contact the USA on Monday.
September 10th, 2006 at 3:23 PM
Very shortly, it seems that users outside US can’t receive the instruction mail and are not addressed to the alternative request page. So no chance for us to even try to get back to our account. If you look, anyone complaining for this here is from outside US. I’m too, and I’m stuck with it.
This is an important issue as many of us also have additional problems (language is one of them). I believe LL is doing a very bad work for us. there’s now evidence that some of us are treated differently from the others and made totally unable to even try to reset the password, while others can do different attempt and try different options. Even though it’s Sunday today I believe the situation is serious enough for someone from LL to stay at work and keep us more up to date whith what’s happening. Also to make the phone helpline available today wouldn’t have been a too bad idea.
If only someone would take a moment to tell us they actually know the problem and are trying something to avoid this shameful differences in treatment, we would be more in the mood of appreciating their work. As it is now, it simply seems they’re BBQeing with their families giving no damn about us non-US users. Shame!
September 10th, 2006 at 4:57 PM
md5 “encryption” isn’t encryption. md5 provides only a checksum of the data; a hash. The question I have: Was there only an md5 checksum of the data, or was there a symmetric, eg DES, 3DES, Diffie-Hellman, encrypted subset of the credit card/password data compromised? md5 is used only to verify the integrity of data; it is NOT used to -encrypt- data storage.
Question #2: What 3rd party application was used to compromise the machine? Which applications are being used by linden labs: IIS or Apache, or any variations thereof?
September 10th, 2006 at 5:00 PM
In addition, what happened to the logs which were being generated by the application software? Are they being stored on a remote logging server? There are syslogging servers now which operate on windows machines which can replicate data to a remote location. This sort of data and due diligence would be standard for the industry.
September 10th, 2006 at 6:20 PM
So what’s the reasoning behind forcing everyone to change their passwords? If they’re concerned that the encrypted passwords were stolen, wasn’t the security question and other account details (except the credit card number) also equally likely to have been compromised?
September 10th, 2006 at 6:56 PM
Paula, I didn’t get the e-mail either, but I managed to get to the alternative-options page and change my password there… I’m sort of miffed that LL expects users to *call* San Francisco in the absence of other options, though.
Although… if you think about it, password resets through e-mail are definitely not secure right now. How many people use the same password for their e-mail and SL (although technically that should be discouraged)?
Giulio - are the security answers case-sensitive??? I wasn’t aware - lucky I typed mine in the same case!
September 10th, 2006 at 8:11 PM
Why don’t we leave the technical stuff to LL and everybody stops whining? They’re doing a great job. There’s not much a company can do against 0 days.
September 10th, 2006 at 9:11 PM
Anyway, WHOEVER stated that MD5 is used to encrypt credit card data is lying. In terms of encryption, MD5 is ONE-WAY (it’s isn’t really encryption, but rather a one-way hash/digest), ie. you cannot decrypt the data that has been encrypted. This isn’t much use for credit card numbers since LL needs to be able to decrypt the CC numbers in order to transact on the account. Passwords on the other hand are often hashed since it isn’t typically necessary (or desireable) to recover them. Basically, you enter your password initially and it’s hashed with MD5 and the result stored. When you need to authenticate with the password later, you enter it, it’s hashed, and the result compared with the hash stored away.
I would hope that the CC data is encrypted with either a symmertric cipher such as DES3 or AES, or an asymmetric cipher such as RSA or DSA. The later is less likely as it would require far more computing power to process. If they used a symmetric cipher I really hope they used an IV/salt otherwise the encryptions is useless and the encrypted data is subject to a codebook attack.
My point in stating all of this is that whoever mentioned CC data being encrypted with MD5 has thrown a red-herring into the works when what we really need here is factual data.
Lola
September 10th, 2006 at 9:30 PM
“lol”, I get the sentiment, but don’t appreciate it. I AM a technical person, and I have worked in the security and crypto field for years on security products from the 2nd largest software company. The products I’ve designed and developed are used to secure trillions of dollars worth of inter-bank transactions every day. I know this stuff inside-and-out. I also know that it is often poorly implemented, and while I have no reason to believe that LL are incompetent in this area (hey, incursions are impossible to eradicate entirely) I would still like some information on why they state that my CC data is secure while they consider my password to be vulnerable when both were stolen together (it was stated that both were encrypted). Flapping your eyelids and saying “let’s just trust that they know what they’re doing” is like not locking your door at night because you trust the police will protect you.
Lola
September 10th, 2006 at 10:21 PM
I’m sort of miffed that LL expects users to *call* San Francisco in the absence of other options, though.
You’d want to explain what other options you’d like for them to have them.
Anyhow, generally, data such a security questions, credit card data, and home address are stored in different portions of the system - credit card info, for instance, should be stored on a machine that was ‘off’ the internet - write-to access only. Same with security questions. Now home address and real name would usually be in the clear, as this is information that a Linden or user would need more commonly, and would be something that people would also often be able to ‘guess’, so it wouldn’t be considered safe.
On the flip side, it would be nice to get maybe a help page or reminder how to update your security information and such once you’re back in - like changing your email to something appropriately current, etc.
September 11th, 2006 at 12:05 AM
Thanks for mentioning that, Biblio Ronzoni. That’s the most rational statement yet, as to why the solution approach taken is faulty.
September 11th, 2006 at 12:11 AM
Lola said:
I would still like some information on why they state that my CC data is secure while they consider my password to be vulnerable when both were stolen together (it was stated that both were encrypted).
I can think of a possible reason why they might say something like that. I’m guessing that the MD5 sums for the password and CC info were stored in the compromised database (they’ve already said that the CC data exposed consisted of MD5 sums). It’s been shown that it’s sometimes computationally feasible (though still difficult) to come up with SOME input string that will MD5 to a given MD5 sum. It’s easier to do this if there are more MD5 sums available to try to guess. In order to steal someone’s account, all the attackers need to do is come up with some password that will have an MD5 sum equal to some SL account. It need not be the actual original password.
With the credit card number MD5 sum, the attacker would have to actually guess the original credit card number, and they have no way of knowing whether they’ve guessed the correct number or just another number that has the same MD5 sum. That means that having your CC# MD5 sum compromised is not as big of a deal. There’s not much useful they can do with it.
September 11th, 2006 at 4:40 AM
Lola, MD5 is also how Cisco routers encrypt passwords. It can be decrypted. And the location of the MD5 statement is in the e-mail sent out when the intrusion was discovered. Here’s the excerpt:
Q: Should I be concerned that encrypted password and encrypted payment information may have been exposed? Is the encryption unbreakable?
A: We use an MD-5 hash (scramble function) and salt (additional data) to encode passwords and payment information, an industry standard technique that is commonly regarded as difficult to defeat. However, no hash or encryption is unbreakable, given enough time and computing power. If you believe that you may be the victim of credit card fraud, you should contact your credit card company. If you use your Second Life password on other websites, online services, or any other services, you should change the password on that service as well. You can find additional tips for protection of your identity online at http://www.privacy.ca.gov/sheets/cis1english.htm.
September 11th, 2006 at 5:36 AM
What surprises me the most at this moment in all these comments is that everyone is mad at LL and how they handle things and noone is angry at those who caused this problem in the first place. So it is ok to attack a game/simulation/whatever but its not ok for the victim (LL AND residents) to react in order to help and protect themselves and those using their software. I didnt expect this to be hasslefree at all but i rather have a little bit of hasslement and discomfort for a couple days if it ensures safety and stability in the log run. They acted fast and they acted on OUR behalf. That a fast reaction as solution cant be perfect is not a surprise is it?
Im sure even in these comments they collect all information they can. Why not give them some credit for the way they handle this? Personally, im mad at whoever caused this hassle not the ones who are trying to cure the bite. :p
September 11th, 2006 at 5:42 AM
I have read through these blogs and I must say, I agree with alot that is said here. I, too, have been a bit angry with what has happened and I really do not like sitting here waiting to call a number that will charge my phone bill long distance for a mistake that was not my own. It is very true that this is a somewhat “secure” way to reactivate a password. BUT at the same time, shouldnt the number be toll free? Seeing as we are customers for a company, we should be treated a bit more fairly.
But, having that in mind, I also must admit that the Lindens have set up a pretty good security system from what I have heard. To catch an elusive hacker in as little time as they did IS not an easy feat. True, some may say that the security system is inefficiant because they “did not prevent the case in the first place” but we must face the reality of life: This is an online based game/business, and it deals with hundreds of thousands of people around the world. Something was probably bound to happen sooner or later, as much as we hate to admit it.
Now, again, as for the solution, it is nice that they offered other ways in order to call the Linden line. At least Linden is trying to do SOMETHING. Seeing as some people may have accidentally locked their accounts (due to some reason or another) Linden has answered responsibly to that.
We are all a bit angry at what happened, and we may or may not think that the solution provided is the best solution that Linden could have supported. But it is a solution. Take what you get, and then contact Linden and discuss in a calm manner what can be done to make things better. I’m sure that will get you farther than arguing about it on a blog. I hope this makes sense and got my point across, as I am not much of a writer.
If any Lindens or Linden staff are reading this, thanks for what you HAVE done thus far.
September 11th, 2006 at 5:47 AM
Pending the potential problems with everyone’s password being reset on friday, no doubt when most are at work, I honestly dont understand why a live help team wasnt put in place with extended hours to help those who may have forgetten thier account information on Friday; or at the least extened a few live help hours for Saturday morning.
September 11th, 2006 at 6:23 AM
Can’t I just request that my password be locked and save myself and Linden Lab’s call center the trouble?
September 11th, 2006 at 7:31 AM
Well…. credit card information encrypted or not, it’s only a matter of time before the encryption is broken. I totally second the general opinion here that this is a major screw-up on LL’s part, and notifying their customers as soon as they did id a good thing, but lets face it: they didn’t have another choise. If they hadn’t done so, it would have come out sooner or later and then it would have been the end for LL for sure, and then they would have to explain why they kept it silent.
I contacted my credit card company, explained to them what I was told by LL, and they advised me to immediately block my credit card. They wanted to have the details of the company involved, because they apparently want to know what security mechanisms were/are in place at LL. Also the fact that credit card information is stored (albeit in another database) in unencrypted form didn’t seem to go down to well. Either way, database containing this sort of information shouldn’t be accessible like this from the internet.
September 11th, 2006 at 7:55 AM
LL did a good job to reset the passwords but they should have people ready in the weekend to help to recover password and the people who are playing sl shouldnt wait a hole weekend because that could get people who rent stuff in problems like about loosing your house because you should have paid saterday or your hole shop and also i think they had a time enough they discovered it on 6 sept that an intruder was busy so they had 3 days before the weekend but hopefully they learn from this all
September 11th, 2006 at 8:15 AM
I really hate this blog, no quoting functions, no “reply to” … it’s just unusable. Anyway:
Sarion Cardway Says: Lola, MD5 is also how Cisco routers encrypt passwords. It can be decrypted.
This is *not* correct. MD5 is a hash, not an encryption. MD5 can *not* be decrypted. You can try and find a password that generates the same MD5 sum as the original password (collision), but you wil *not* be able to decrypt an MD5 back to its original value. Additionally, LL adds a “salt” to the data to be hashed (scrambled), which makes it even harder to provoke a collision.
September 11th, 2006 at 8:22 AM
Oh, I’m furious at the idiot who did it, but LL did drop the ball on this. They should have notified us the day they noticed the incursions to change our passwords, reserving the right to do a mass invalidation if they felt the situation warranted it. The Zero-Day had nothing to do with that part. That was their decision, not the hacker/exploiter’s. This would have alerted players that their accounts were open to hacking and to watch everything in their account closely. No major disruption would have been needed at that point.
Catching the perp is not as important as notifying the customers. We’re the ones who suffer for their stupidity and should have been notified so we could make our changes earlier and possibly prevented this from having farther reaching consequences.
Also, they had two days to prepare for the massive headache of the password invalidation and they did not USE it to prepare for the worst. It is a reasonable outlook for a company, prepare for the worst and hope for the best. I don’t know if they thought of the number of people who wouldn’t remember their answers to the secret questions, but they should have. It’s predictable, human nature.. especially if you signed up at the beginning and well, had a lot of life changes. Those phones should have been staffed the moment the passwords were invalidated. Also, explaining other means of vocal contact, such as Skype, for those who cannot afford the overseas calls would be a very good thing.
I love the game, which is why I haven’t left it yet. It fills the creative niche, allowing me to express myself in ways that were only imagined. I will gladly put up with bugs and glitches, crashes and lag. The main worry I have is that the Lindens are no longer caring about the game. It shows in the little things like, customer service, planning, and overall decisions in guiding the game. That’s what’s really infuriating me. Those ‘little’ things are the faces we see, not the average Linden whose just trying to get their job done. This just magnifed the issues into one big glob.
September 11th, 2006 at 8:43 AM
This is the thing - I’m naturally inclined to be sympathetic with the LL team and what an awful thing that the nasty crim has invaded all our niceness, but….
I have a working email. I can remember all my questions and answers. I pay money to this site. I have my credit card details entrusted to this site. BUY, I happen to live outside the United States of America.
The one single thing that is pissing me off mightily is the fact that the LL team insist on patronising me and insulting me and screwing me around with the pretence that there is no problem with their system for international customers. (It’s my guess that the ‘intruder’ may have come from offshore)
I’m not going to sue anyone - I just resent that my time is wasted trying to figure out what’s wrong, when the LL team probably know exactly what’s wrong. But in a fit of protectionism they are afraid of saying, ‘opps, yeah that’s bollocksed’.
My natural instinct as a human being is that when I find myself in a difficult corner where unexpected circumstances surround you with difficult problems and choices is not to say, ‘all you foreigners are worthless bastards and we don’t owe you any explanations until we have done with our weekend’, but to look around at our common humanity and think where there may be people who we can stand by, because they might stand by us, if we trusted them and treated them with respect and basic civility.
Do you realize how much ill feeling you could have avoided with this simple message:
‘We are sorry, but due to technical reasons accounts held by persons outside of the US may not be able to reset their password as normal. We apologize and are working to correct this - we expect to have this sorted in the next week or so. It may be that you have to phone. That’s the safest way. Sorry.’
But they refused to acknowledge there was a problem. I don’t understand why. I have my credit card details held with this company. I need to understand their behaviour. I need to trust them. They have disrespected me by their blaming me for their systemic fault.
Why do people want to defend this lack of acknowledgement?
It’s like normal expectations don’t apply with this business.
Just for a moment, If you are fortunate not to be in a position where you have not erred and yet are being told you are erring and your credit card details are being held by those that have erred and yet are saying that you have erred and yet again refuse to do anything beyond ‘call us in a few days you erring sonofabitch’, imagine you are in the shoes of the unerring accused of erringness.
September 11th, 2006 at 8:51 AM
Hey; anyone complaining about phone charges should download skype, and use it to dial the number. US numbers are free to call until december from anywhere in the world. This is good because Toll free numbers CANNOT BE CALLED by international players, which is why it would be useless to set one up, seeing as Chung and others are not in this country.
Also you can’t just delete people’s account for being non current; there’s money in there people, it’s not really a game for me. I make money here that I can then spend on eve-online and other game purchases without having my spouse complain about how much I spend on games.
I have a decent balance with SL and it’s a little like my 4th bank, after paypal, and my 2 more real local banks.
September 11th, 2006 at 8:53 AM
And as people are being so insistent that we should direct our anger at those people who caused the whole problem in the first place - the hackers….
Grrr… You rotten nasty people. I direct my anger at you. Yes, I do. I look sternly in your direction. I ‘tut’ loudly. I go ’sheesh’ and shake my head. Grrrr. You buggers, you.
Why I oughta…
-rolls eyes-
September 11th, 2006 at 9:08 AM
Hi:
I just phoned to reset my password. The hold was only about 5 minutes, and the guy I spoke with was very polite and professional. Apparently they’ve got an ‘all hands on the phone lines’. Thanks for making it a quick process.
-Stimpy
September 11th, 2006 at 9:13 AM
I never fill in a secret answer because if you know someone good and he has like which street did i grown up its easy to guess too.
and the extra options, are we supposed to remember the first names of all our friends?
could guess 2 names if lucky with randomize but i also got alot people in it i didnt spoke alot.
Well im not a paying member so its ok with me i have to wait , but i just hope they give me a new password someday , not that they lock me out because i dont remember everything and while being their fault for resetting the original passwords
September 11th, 2006 at 10:02 AM
Please, just let me back in. I love my Second Life, I’m going to die if I don’t get it back. Please. God. Help me. I’m having to do things like make sure the soil around my new houseplant is very very even. I even did the washing up. This cannot be sustained. Give me my Second Life back. What did I do to deserve this cold shoulder? Do you know what it’s like to level houseplant soil or do washing up?
-weeps profusely-
September 11th, 2006 at 10:46 AM
THANK YOU Eric at Linden….took 5 mins today to phone in and get my temp password……
i know you are all working hard to resolve this for everyone….i have been in other 3D chat sites in past and this is by far the best!!!!
Keep up the good work
misty
September 11th, 2006 at 11:44 AM
A good suggestion, for some reason the toll free US number isnt answering. so use the world wide toll number
September 11th, 2006 at 2:39 PM
One of the ways that hack attempts like this can be mitigated is to use trusted operating systems on machines that are storing sensitive data (whether in a database or otherwise). If the SL database machine was running Argus PitBull then even if the hackers used some web server exploit to root the box, they would still be locked out of access to anything else on the machine. TOS technology has come a long way in the last 5 years or so and there really is no reason that businesses storing sensitive data should be having all of the data breaches that have been in the news lately. There is a lot of info at http://www.argus-systems.com
Don’t just take my word for it (since as an engineer at Argus I definitely fall under *biased*), check out sites like http://www.nsa.gov/selinux, en.wikipedia.org/wiki/Mandatory_access_control, or just google search it.
Companies are only going to start taking the measures that already exist to truly secure private customer data once the customers start demanding that they do so.
September 11th, 2006 at 3:11 PM
Why do you need any of the silly questions ………. They send the email to the address
you provided at the time you signed up to get the name. Why not send a temp password
to that address and forget the questions?
September 11th, 2006 at 4:13 PM
Di Xie you are right. I looking out for an answer on that question.
September 11th, 2006 at 4:49 PM
I am not saying I think the whole fault is from LL, but they could have handled this better, from using something more secure for the more sensitive user data, to hvaing done things like people here sugested like wanrnig about the password reset, and making password reset “questions” not so easy, also making the password reset system as a whole more robust, so people would be able to solve their issues by themselfs without risking loosing their acount
today i had a friend that allegedly was called by the hacker, which allegedly knew her av name and here real name, and perhaps a few more, but she didn’t talked much with the alleged hacker
other than the downtimes I myseklf personnally didn’t experience any problems with this whole event (exceot the down times), but from what I’ve read, and from what I’ve been told lots of people got their face smudged when the shit hit the fan…
I am not sure if we can really blame LL for whatthey did and didn’t, I mean after all they are just humans, and through out the history often big catastrophies are needed for humanity to learn to do things closer to the right way, often there were thousands of studies previous from the catastrophy advising changes that would make the catastrophy not happen, but the catastrophy still occurs…
…not sure if I actually had a point with all this rambling, I just felt like saying those things…
September 11th, 2006 at 6:55 PM
You need to tag these as “SECURITY� like your email said. FoxNews just picked up a Reuters article about the security breach. When you follow the link for blog posts tagged security, you get… nada.
September 12th, 2006 at 6:39 AM
I’m with Di Xie on this, its just to easy to have compromised the questions.
If people are dumb enough to forget their email addresses / passwords
or not update them with LL when they change addresses…..
And as for who to blame, well sorry but LL have to take the fall, its their system.
September 13th, 2006 at 2:41 AM
Sigh, I don’t understand the phone bit. For my own reasons I will not be calling. If they can’t do it over e-mail I guess I’m out.
September 13th, 2006 at 4:52 AM
I was just reading the police blotter and found a few of these :
Taking part in account contents theft.
Action taken: Suspended 7 days.
I wonder why these people are allowed back
September 15th, 2006 at 8:06 AM
i failed the questions and had my password locked, now the only way to get it is to phone. calling however, is not an option for me and i dont see why they cant just send it to my email adress which hasnt changed since i signed up. i have not been able to access my account since passwords had to be changed. i just want my password so i can get back to playing, i worked hard to get everything i had and i would really hate to have to start all over again.
September 16th, 2006 at 1:21 PM
I have tried all week to get them to send me the email promised that would give me the link to change my password. I’ve called tech support this week and left a message and haven’t received a response back. I’ve emailed tech support a few times and haven’t gotten anything back from them either. I don’t know what else I can do. They did take my payment out this week but don’t seem to want to back up their promise to give us the best support and experience possible. I feel like they are overwhelmed and are just sitting back waiting for the air to clear. That won’t happen unless/until they take care of these problems in a timely manner.
September 18th, 2006 at 9:33 AM
Caira it looks like you’ve been able to log in since you posted here, so I’m assuming that you’ve been able to change your