Your Second Life Password May Not be Safe
Vint Falken reported today in an article called How (in)secure is your Second Life Password? about a Second Life resident named pingping has had $800 US Dollars “stolen” from his account and how it was apparently done.
Like many of us Pingping Zhaoying thought his password was a strong one, but in this case it really doesn’t make a difference. It does appear to be a fact that with the right knowledge, which is easily obtainable, any resident’s password can be changed.
The problem seems to be in the password can be changed on the Second Life site, by simply answering one of several questions, rather than having a randomly generated password being mailed to your email address; which you would use to log into your account and then be able to change to something you decide.
Linden Lab does not seem to be responding to this issue, and I believe it is one that should be addressed. I really do not think Pingping will ever see his money again, but I do think this hole in security needs to be closed up.
June 29th, 2007 • 
Weirdharold • 
comment | June 29, 2007 at 07:02 | individual comment-link
I would think Pingping could gets some sort of chargeback protection from his credit card holder.
The reasons to stay involved with Second Life at any level continue to dwindle
Would be wise to removed the backup payment data from your account and enter it only when you need to make a transaction.
comment | June 29, 2007 at 10:21 | individual comment-link
Well, any L$ that are transferred from your account is data that’s logged and maintained. It’s pretty easy to find out where the money went to, and who it belongs to.
Now, sometimes it seems like that would be hard to get someone to check up on… Because their are many complaints which don’t get answered because they are either rediculous, haven’t enough information, or just don’t make sense.
But it’s not like this action can’t be traced.
comment | June 30, 2007 at 02:51 | individual comment-link
29.06.2007
PingPing Zhaoying’s account is canceled by the Linden Gods.
‘Today, 9 days later, and without any sign of LL my account was shut down, no more logging in possible, the rest of my inventory is gone, the work of one year virtual living gone. Thank you Linden!‘
30.06.2007
PingPing Zhaoying received the following mail from LL. Up to now this is their only response after 9 days, intercontinental phone calls, email and in-world IM.
Guy,
I have issued a refund of the charges that were fraudulently placed on your account. We’ll have the account returned to you, asap. We are responding to attacks like this as quickly as possible. Sorry for the trouble.
JP