Linden Labs, the San Francisco-based creator of the virtual community Second Life, has told its users that their personal information could have been stolen due to a zero-day attack.
In a Sept. 8 announcement, the company said that users unencrypted names and addresses, as well as encrypted passwords and payment information, could have been exposed during the attack. The company, however, said that credit card information had not been exposed.
The security breach was first detected on Sept. 6, and Linden Labs said it repaired the problem immediately. A company investigation showed that hackers exploited third-party software used on the Second Life database to break into the servers.
“Due to the nature of the attack, the company cannot determine which individual data were exposed. The companys technical investigation is ongoing,” Linden Labs said in its release that was posted on the Second Life Web site.
Citing its own internal investigation, the company did not release many details about the breach besides acknowledging that it was a zero-day attack. The company is also still trying to determine what, if any, personal information was compromised.
Second Life is a virtual community that is maintained and run by its “residents,” who can make purchases through this online world and convert the “Linden dollar” into standard U.S. currency.
Hacking into video games and virtual communities has become an increasing problem.
On Dec. 16, 2005, White Wolf Publishing, a company responsible for some of the most popular role-playing game brands, was forced to shut down its operations after international hackers exploited a software flaw and stole user data, including user names, e-mail addresses and encrypted passwords.
At the 2006 Black Hat conference, Greg Hoglund, a well-known security code expert, showed how he could beat an anti-cheating technology in the online role-playing game “World of Warcraft” by using rootkits he developed.
On its Web site, Linden Labs boasts that since 2003, when the community first opened, nearly 300,000 people from around the world have joined.
The company first noticed a problem on Sept. 6, when an unusual amount of activity found in the database logs showed that an attack had occurred. The initial internal investigation showed that the attack could have started as early as Sept. 3, but the company found no evidence of a compromise to the database until Sept. 5.
“On Sept., 8, 2006, we concluded that there was a substantial likelihood that customer account information could have been accessed,” the company said.
The company has invalided all user passwords, and members of the online community have been urged to reset their passwords and keep track of credit card statements and their PayPal accounts for irregularities. Additional updates will be posted on the companys blog.