Linden Lab’s Data Disclosure Violates LL’s TOS

by Pixeleen Mistral on 09/09/06 at 10:40 am

Residents advised to reset passwords, or create more unverified alt acccounts
by Pixeleen Mistral, Herald National Affairs desk

Linden Lab warned itself Friday that it had probably violated its own Terms of Service by disclosing some (maybe all?) of an internal database holding customer’s Second Life names, real life names, and real life contact information. This disclosure came in spite of Linden Lab’s most recent newsletter reminding the community that disclosure in Second Life is a tricky business. Sources suggest that the Second Opinion newsletter editor was “not surprised that nobody read that story,” though such reports could nolt be confirmed at press time.

The Second Life creators’ disclosure also happened to include metaversal citizens encrypted passwords and possibly credit card information. Robin Linden stated that the security questions used to create a new password may also have been compromised. This excited a certain amount of comment on the soon-to-be-closed SL forums. For instance, Usagi Musashi said, “a Well designed Company is SUPPOSE to keep the ‘security question’ on anotehr data base!!!!!!!!!!!!!!!what the fuck is shit doing onthe same data base!” in the general forum. To reassure residents, and directly address their questions, a comment-disabled official Linden blog entry discussed the situation. Email was also sent to metaversal citizens stating, “The database accessed includes customer account information, including Second Life account names, real-life name and contact information in unencrypted form. Account passwords and payment information (consisting of credit card numbers and Paypal transaction IDs) are stored in this same database in encrypted form.”

Some resident wondered if might it also be wise to reset their credit card numbers, since they are stored in encrypted form in the compromised database. Friday night I stopped by the Welcome Area looking for guidance, but everyone present was busy suggesting that noobies really ought to wear some clothes in a PG sim as a number of naked noobs propositioned anything that looked like it might respond, including plants and benches. I declined several offers of friendship from the unclothed, and recalled once again how little time it take in the welcome area to have had more than enough. Somehow, I always forget.

At press time the official position of Linden Lab is that all SL residents must reset their passwords before gaining entrance to the virtual world. This will pose a problem for avatars who have difficulty with the self-service password reset page, since the Linden Lab phone-in helpline has the weekend off. Unverified Linden (a Linden staffer without any credit card information that could be compromised) hinted that the phone-in helpline staff is actually serving a 2-day ban on behalf of the organization. This selfless group originally volunteered to serve a one-week ban from answering the phones — perhaps hoping irate avatars might calm down? After studying the official police blotter for guidance, they were eventually persuaded that a 2-day ban was enough for a first TOS offense. By acting as the designated irate customer buffer, the phone support group has scored mega-points in the “Love Machine” employee ranking system for “taking one for the team”. In unrelated news, an unexpected surge in demand for strong drink was reported in the vicinity of Linden Labs San Francisco offices late Friday.

14 Responses to “Linden Lab’s Data Disclosure Violates LL’s TOS”


    Sep 9th, 2006

    SecondLife user-database hacked!

    everyone even slightly interested in MMOG SecondLife, probably already heard yesterdays bad news: an official security announcement on Linden Labs (creators of SL) reported a hack of SLs database earlier this week. Linden Labs admits that user-d…

  2. FlipperPA Peregrine

    Sep 9th, 2006

    I’m afraid your premise is flawed here. Linden Lab didn’t disclose anyone’s information: disclosure is a voluntary action. Linden Lab had data stolen by a criminal using a zero-day exploit (meaning, one that was discovered before 99.9999% of the world would have had time to patch – the same day the exploit was discovered, it was used on them). There’s a world full of difference.

  3. Go Fuck Yourself LL

    Sep 9th, 2006

    I have a question does this mean that any abuse reports filed in game within the time frame of the security breach will be discarded? i mean afterall how can LL prove who was really on your account? then again they just do as they please so i won’t be surprised if everyone gets banned from the game lol. assholes.

    P.S. i am officially done with second life.

  4. Espresso Saarinen

    Sep 10th, 2006

    i suspect the weekend haitus is to contract with and create customer service agent scripts for a contract call center.

    i also wonder how ll is dealing with the legal notification issues around such a breach, especially in californica.

  5. Jeremy Vaught

    Sep 10th, 2006

    hah! This is a great story. Thanks for the humor.

  6. Prokofy Neva

    Sep 10th, 2006

    >I’m afraid your premise is flawed here. Linden Lab didn’t disclose anyone’s information: disclosure is a voluntary action.

    Good example of how any sense of humour or irony or satire is absolutely missing from the FIC.

  7. DJ Jenns

    Sep 10th, 2006

    >Good example of how any sense of humour or irony or satire is absolutely missing from the FIC.

    Still going on about the FIC then ? lololol starting to look like a kid that wasnt invited to the birthday party.

    Back to the topic though, and well in my eyes – as bad as the situation is, thumbs up to LL for making it very damn clear whats happened and trying to make everyone aware how serious the situation is.

  8. M W

    Sep 11th, 2006

    The way LL has reacted by turning off thier customer service and taking a weekend off shows how far this company has to go before SL will be taken seriously.

    They should have contacted members via email. Not everyone reads the Blog.

    I am still unable to login my account since they lost my verification question. This action has cost me possible L$1000s due to lost fees and trading.

  9. whatever

    Sep 11th, 2006

    Ironically enough, LL gave the hackers the tools to go after people who are verified, which is in our in world profiles. Thanks LL for making it so easy for thieves and idiots to know who is verified and who’s info to get. We wouldn’t want them wasting time on the unverifieds now would we. BRAVFUCKINGO!!


    Sep 15th, 2006

    Second Lifes 650,000 user database compromised

    Linden Lab, the San Francisco-based company behind the Second Life site, said in a letter to its 650,000 users this weekend that its customer database, including names, addresses, passwords and some credit card data, had been compromised….

  11. Nacon

    Sep 16th, 2006

    Creating more unverified alt accounts will only lead you to your ban from SL for breaking ToS because you are not paying for another account, thus you’re unverified.

    Don’t be a retard.

    LL took the weekend off because their leader didn’t want any Linden crew go talking about the disclosure and giving away more info… which is disclosures the disclosured info that hacker was able to pull from LL. Not only that, they need time to follow up a plan to deal with this whole “security” issue THAT NEVER HAPPENED to them before. Sure, they were hacked before… but those had to do with the main grid, this whole database is a whole new different target. Can’t you imagine how much it will take to set up a whole phone calling network to take in more than 50 calls per hour? A lot, don’t be stupid and go imagining that they are outside playing basketball game.

    They are fed up with stupid people, this hack was choking them by just having the same stupid people bugging them even more after they heard about the attack.

    It’s like setting a firestation on fire, who’s gonna wake up and call the firestation?
    You can’t… cause they’re on fire, so put the phone down and go back to sleep.
    I’m sure they noticed the problem themselves.

  12. Random Writer

    Sep 17th, 2006

    IF LL was a smart enough (or caring enough, I chose that they don’t care), common IT setups would NOT host avs, main account numbers AND credit card numbers AND pay pal info on the same server and only encrypting half of it.

    Hell, I’m not even into computer companies, but I do know what common sense is.

    Don’t be a fanboy about this. It’s totally unacceptable for such an easy hack that was done to be allowed to happen to us. Sure it was Zero day, and for all we know, a real 10 accounts may have been hacked, but considering LL never throws a credit card number away from it’s system and they house it in the same system encrypted and the av details which WERE NOT, that’s like holding a back door open to a thief.

    If they had done it right and the fire station was set on fire, a back up fire truck would have been en route in minutes to put it out. (I.E., they would have had a secondary wall to break through, requiring more time and then the initial hack would have been seen in time.)

    They are operating at the most cheapest cost possible, not only leaving beta testing to main grid people, but not running enough servers, not even close. No more than 2 sims a server would be ideal, and content would have been another, payment info would be another, financial info would be another, av listings would be another, etc. But they choose to run 4-5 sims a server, and only 1 single server for everything else? I didn’t dare dream they’d be that stupid, yet here we are, in the endless barrage of pw resetting.

    Hell, they even hosted the SECURITY questions and answers on the SAME server and THAT was hacked right after!

  13. Random Writer

    Sep 17th, 2006

    P.S. As for creating unverified alts being a violation of ToS, they only ban by av, not even as far as IP, therefore they don’t even connect the dots of unverified alts. They can’t ban for which they do not know. And considering how many people file reports that are ignored, they sure as hell aren’t gonna listen to reports on people who ‘say’ they are an alt of another.

    Ironically, they still require you to pay when you WANT to be verified on several accounts.

Leave a Reply