Yep if you suddenly notice your Linden Dollar balance falling. Or your paypal balance suddenly gone poof: Don't worry! :D Its just yet another security breach in Second Life ~ and this one is a biggie. Since I'm that Public Service Kinda Gal, lemme break down the LL Obfuspeak for yall who got the email:

Q: Was my account information compromised?

A: We discovered that a database was accessed by the intruder, and we are able to determine the aggregate size of the data that was downloaded through the intrusion. The database accessed includes customer account information, including Second Life account names, real-life name and contact information in unencrypted form. Account passwords and payment information (consisting of credit card numbers and Paypal transaction IDs) are stored in this same database in encrypted form. However, there is no way to identify which data were accessed at the level of individual users, only the aggregate size of the downloads returned from the intruding database queries. We are conducting further investigation to try to determine the class of data exposed.

Ok heeeeere we go! (But really before you read any further, take a few minutes to change all yer Second Life and Second Life related passwords. Yer alts, yer paypal etc. And why not even change your online banking pass while ya at it.)
Aaaand if you FORGET your info - good luck getting back into SL lololll!


_______

We discovered that a database was accessed by the intruder, and we are able to determine the aggregate size of the data that was downloaded through the intrusion.

This means once they figured out they'd been breached - they were able to find out that the hacker ganked a shitload of information.

The database accessed includes customer account information, including Second Life account names, real-life name and contact information in unencrypted form. Account passwords and payment information (consisting of credit card numbers and Paypal transaction IDs) are stored in this same database in encrypted form.

This is tellin yall that the person pretty much has ALL of ya stuff. They keep using the words encrypted and unencrypted to like, I dunno, make you feel like SOME of your info is safe.

It aint! :D

However, there is no way to identify which data were accessed at the level of individual users, only the aggregate size of the downloads returned from the intruding database queries. We are conducting further investigation to try to determine the class of data exposed.

They can't tell if JaneDoe Resident's info got ganked in entirety or even if JackDoe Residents's info was only partially compromised. They can only tell that a WHOLE BUNCH of data was snagged and they are working on it to try and find out exactly what was downloaded.
_______________

Q: Should I be concerned that encrypted password and encrypted payment information may have been exposed? Is the encryption unbreakable?

We use an MD-5 hash (scramble function) and salt (additional data) to encode passwords and payment information, an industry standard technique that is commonly regarded as difficult to defeat. However, no hash or encryption is unbreakable, given enough time and computing power. If you believe that you may be the victim of credit card fraud, you should contact your credit card company.

I dunno about yall - but I figure a person who can and wants to dig into info of a company like they did - has the wherewithall to do whatever they want with the info they get. Encryptions be damned. I guess the way into the LL database was incrypted too? What's scarier - if it was or if it wasn't? *shrugs*

Oh wait - here's the partial answer to that:

We can disclose that the intrusion path took advantage of a "zero-day exploit" in third-party web software.

Ok techie geekstahs translate that into Brace Speak so I can unnastand WTF that is ty :D


________

Q: What was the timing of the attack and Linden Lab's investigation?

A: Our forensic investigation began on September 6, 2006. Based on this investigation, the intrusion attempts may have started as early as September 3, 2006. However, we have not found evidence of successful database access occurring before September 5, 2006. On September 6, 2006, unusual activity in our database logs revealed the attack to Linden Lab, and we investigated, found and closed the intrusion on the same day. At that point, there was no evidence that databases containing customer identity information had been compromised. For the following two days, the focus of our investigation was to determine the extent of the database access and the nature of the data downloaded from our system. On September 8, 2006, we concluded that there was a substantial likelihood that customer account information could have been accessed. The investigation is ongoing and [blah de blah blah blah]

All that basically means is the hackin started around Sept 3rd (if not earlier yall) and it really wasn't until today - September 8th - that they finally realized the breadth and scope of what had been going on.

UPDATE 9/9/06: If you're not sure what to do CLICK HERE and take the advice of this SL Resident. But if yer a broke ass basic account holder (like me) then you don't have much to worry about cept Identity Theft. And frankly, you'd be an idjit to steal mine. In fact - you can have it! Good luck paying back all my student loans, or trying to buy a house or a car with my destitute info LOLOLL! :D
______

So for those of you lookin to hang out with me in Second Life - I'm lockted out until I get the email back that informs me on how to change my SL password. LL has since disabled all current passwords we all had, so you need to make a new one. Making one as a quick change on the website is no longer an option.

See you in a Tale in the Desert!

Me Getting my 49th Fumeology Point
and securing my FIRST permanent Stat: Perception :D
Long Live the Hookah!