‘Second Life’ Gaming Site Suffers Security Breach

Online fantasy gaming site “Second Life” on Friday admitted it suffered a security breach that exposed real-world personal data of its role playing users.

A detailed two-day investigation confirmed that some of the unencrypted customer information stored in the database was compromised, potentially including account names, real life names and contact information, along with encrypted account passwords and encrypted payment information.

In a letter to its 650,000 users this weekend, “Second Life” creator Linden Lab said its customers will be required to request a new password to access the three-dimensional software world that allows users to escape reality within a complex social structure and fully-functioning economy.

“While we realize this is an inconvenience for residents, we believe it’s the safest course of action,” Cory Ondrejka, the chief technology officer of Linden Lab said in the message to “Second Life” customers.

Life Online

As its name suggests, the online role playing game offers users an opportunity to live a double life. Gamers create a personal identity and claim virtual land. They also have the responsibility of earning money and maintaining their health. They even experience the social implications of joining a community and collaborating with others.

Players can spend their weekly stipend any way they want — on shopping, transporter travel, or admission to private events. They can also build their wealth and put their talents to use by making and selling items for “Linden dollars.” These virtual dollars can be exchanged for real-world money.

Corporations like Coca-Cola and Wells Fargo, among other Fortune 500 companies, have jumped on board the multiplayer game to offer virtual representations of their businesses. Real-life musicians hold virtual concerts inside the community, and clothing retailers sell their wares there.

Real World Threats

These virtual world gamers, though, are now concerned about a real-world threat in their “Second Life” community as hackers have access to their authentic identities. Making matters worse, a Linden Lab statement indicated that “due to the nature of the attack, the company cannot determine which individual data were exposed.”

The attacker accessed the personal information using a zero-day exploit through commercial software used on “Second Life” servers. The company did not disclose which commercial software product it uses.

The “Second Life” data breach is hardly the first of late. AT&T last month suffered a highly publicized data breach, and scores of others have reported comprised personal user information with much chagrin. Russ Cooper, a senior information security analyst with Cybertrust, is pondering the question of when Internet businesses will take online security seriously.

The Wild, Wild West

“Can you imagine if the grocery store in the local neighborhood lost its data as often as Internet businesses do? Would you still be going there to shop? If your bank was constantly losing your sensitive information, would you leave your money in the bank?” Cooper asked TechNewsWorld. “When does this stop?”

Cooper, for one, would welcome government intervention in the data security equation.

He pointed to the AT&T breach as an example of how sophisticated attacks are becoming. Hackers in that case used the data to launch a phishing attack against the victims of the identity theft.

“That attack looked far more legitimate because it was interspersed with supposedly confidential information, like the last four digits of their credit card numbers,” Cooper noted. “You put that type of sophistication together and there’s no way for the average consumer to distinguish a legitimate e-mail from an illegal e-mail.”

1 Comment

  • Surprisingly there have been many attacks in the virtual gaming world. Most of this is because much of the fake money that the games deal with can be exchanged for actual currency. Just follow the money.
    The article does mention though that many sophisticated phishing attempts are done with the availability of personal information, however, I disagree. A real bank would not provide any of YOUR personal information in an email, nor ask you to provide that information through email. If that was too happen, you can know the email is a phishing attempt for sure. There are also other ways you can tell a phony email from a legitimate one. Learn about the anatomy of a phishing scam…
    http://www.techknowbizzle.com/2006/03/anatomy-of-phishing-scam.html

Leave a Comment

Please sign in to post or reply to a comment. New users create a free account.

LinuxInsider Channels