To print: Click here or Select File and then Print from your browser's menu

This story was printed from silicon.com, located at http://www.silicon.com/

Story URL: http://software.silicon.com/security/0,39024655,39162221,00.htm

Online game world suffers data breach
Second Life data targeted by real life hacker...

By Reuters

Published: Monday 11 September 2006

Second Life, the fast-growing online site where hundreds of thousands of people play out fantasy lives online, has suffered a computer security breach that exposed the real-world personal data of its users.

Linden Lab, the company behind the Second Life site, said in a letter to its 650,000 users this weekend its customer database - including names, addresses, passwords and some credit card data - had been compromised.

All users - or 'residents' in Second Life parlance - are being required to request a new password. Some 286,000 residents have used the site in the past 60 days, according to a count on the homepage.

Cory Ondrejka, the chief technology officer of Linden Lab, said in the message to Second Life customers released late on Friday: "While we realise this is an inconvenience for residents, we believe it's the safest course of action."

Second Life is a three-dimensional software world on the web inhabited by animated characters that users design for themselves to interact with other participants. Users buy and sell virtual land and build businesses with currency called 'Linden Dollars', which can be exchanged for real currency.

Blurring the line between a multiplayer game and an online business, the popularity of the site has spurred Fortune 500 corporations such as Coca-Cola and Wells Fargo, along with architects, authors and musicians to erect virtual outposts of their organisations or personas.

Retailer American Apparel has created a business to sell clothing for the Second Life avatars users create to represent themselves inside the online world. Musicians such as Duran Duran and Suzanne Vega have held concerts inside Second Life.

The database breach potentially exposed customer data including the unencrypted names and addresses, and the encrypted passwords and encrypted payment information of all Second Life users, Linden Lab said in the message to users. Unencrypted credit card information, which is stored on a separate database, was not compromised, it said.

The breach was discovered on Wednesday. The company launched an investigation that revealed an intruder was able to access the Second Life databases utilizing a zero-day exploit through commercial software used on Second Life servers.

Linden Lab's statement said: "Due to the nature of the attack, the company cannot determine which individual data were exposed." A technical probe is ongoing, it said.

The company said it will announced additional security plans on its blog.