So Second Life got hacked:

On September 6 we discovered evidence that an intruder was able to access the Second Life database through the web servers. The exploit was shut down on the afternoon of September 6 when we discovered it.

Detailed investigation over the last two days confirmed that some of the unencrypted customer information stored in the database was compromised, potentially including Second Life account names, real life names and contact information, along with encrypted account passwords and encrypted payment information.

No unencrypted credit card information is stored on the database in question. Unencrypted credit card information has not been compromised.

A news story puts the scope of the breach at 650,000 accounts.

Let’s read into the story a little bit.

First, we now know a little bit about the Second Life team’s risk management priorities. They encrypted (hashed, most likely) user passwords. By making this decision, they declared that they were more concerned with account security than incremental performance gains they might have derived from not encrypting them.

Still, even though Second Life handled the passwords responsibly, they still are paying the price for losing them–they will probably lose at least a few on-the-fence customers and also have to bear the increased cost of supporting 650,000 people all trying to change their passwords at once. Long-term, this is the Right Thing.

Second, we know that they care about protecting their revenue stream. I’m guessing they were PCI-Compliant since they encrypted credit card information. That’s also a Good Thing since it means that they aren’t going to be put out of business by lawsuits or the “Death Penalty” from Visa or Mastercard (even if that is, to a certain extent, killing the goose that lays the golden egg).

Third, we know that they have some concerns that at least some portion of the password database is vulnerable to (probably) dictionary attacks. John the Ripper would probably make pretty quick work those ~650,000 accounts, especially if the hashed passwords weren’t salted or weren’t salted with a large enough salt (random value included with the hashed password to prevent a single dictionary attack against the entire list).

Finally, we know that Linden cares less about protecting their customers than they do about their ability to get paid, even if those customers are also an integral piece of the revenue stream. I suspect this is more a case of the floor for compliance being the ceiling for effort than anything else–no law or industry legal agreement requires them to encrypt the data, so they didn’t. They did not perceive risk associated with losing that information, and I suspect that this will be what eventually hurts Second Life when all is said and done.

Interestingly, Second Life seems to have missed a significant tenant of their value proposition–that they provide a place where people really do have second lives. And that’s the real risk in this whole incident. Certainly there could probably be some fraud and account abuse in all this, but I would hope that Linden Labs has or is putting processes and tools in place to identify and make those affected “whole” again.

I strongly suspect, however, that their willingness to accept risk to people’s Identities will be the long-term impact of this incident. After all, I have to suspect that there’s going to be a tendency to self-censor (for better and worse) what people feel willing to do with their second life if they can’t be certain that it won’t be tied back to their first one.

I have to state that I’ve never spent any time in Second Life, but that’s only because I’m a recovering addict (you’re never recovered) of Evercrack addict and a couple of other MMORPG’s–the actual concept fascinates me. As such, I firmly believe it’s best for me if I just stay away from Second Life.

Nevertheless, I know from some experience that some people are very different on-line than in real life, for better and for worse. In the limited confines of an MMORPG, that can create significant problems. In the nearly unlimited scope of Second Life, while most of what goes on is pretty innocuous, I’ve read some things (no links–I’m offline as I compose this) in the past that leads me to believe that some people do things there that they’d just as soon not be tied to in their First Life.