Metaverse breached: Second Life customer database hacked

High profile virtual reality game Second Life reported today that one of its databases containing unencrypted user information was breached two days ago. The company confirmed that this is the first time user data has been breached since the service opened for public use in 2003. The database did not include customer credit card numbers, a requirement to register for the game (correction, that’s not the case anymore), as they were kept in a different database. The breached database did include unencrypted names and addresses, and the encrypted passwords and encrypted payment information of all Second Life users.

A company representative wouldn’t tell me whether behavioral or attention data tied to users was exposed in the breach, but did say that to the best of their knowledge none of that data had been captured. Such data could include information about embarrassing activities in Second Life that users may not like to have tied to their real life selves. There’s a lot of very cool things that go on in Second Life, but there’s also a lot of sex and gambling. Update: Vladimir Cole at AOL’s gamer blog, Joystiq, a better authority on the particulars here than me – concurs (emphasis mine). “To put a finer point on it,” he writes, “what happens when archived MMOG chat logs are breached? It’s going to be ugly, like AOL ugly: ‘I swear honey, that Furry [avatar] meant nothing to me. It was totally just research for my new book. I’ll sell the teledildonics equipment on eBay first thing tomorrow.'”

Virtual worlds are big, they’re going to get bigger, and we should be demanding protection of user data from those worlds now. There’s already one politician said to be a possible US Presidential contender campaigning in Second Life, you can participate in American Cancer Society fund raisers, hang with the American Library Association or participate in substantial daily commerce. There are major corporations launching advertising initiatives in Second Life and consultancies forming to facilitate such activities. Acts of violence in a game that prohibits it are being reported with increasing frequency. This is serious stuff.

Apparently our Second Lives aren’t as separate from the rest of the world as we might have liked to think. Obviously no company is immune from such security attacks, but there’s something about the supposed freedom from consequences in Second Life that this calls into question. It’s been a rough week for privacy, considering the Facebook explosion, Craigslist sex baiting and HP spy scandal.

The security breach occurred on Wednesday and users were required to change their passwords at 9:30 am PST this morning. Mark Wallace at 3pointD writes, “Oddly, it seems that no notice was sent to users flagging the problem.”

One source told us that the entry into the database appears to have occurred via an exploit in Tikiwiki, a third party open source collaboration service that the company has since stopped using. The company was hesitant to disclose information about the breach, the data put at risk and the company’s architecture for fear that such information could make future exploits easier to perform.

Though far from the largest virtual reality game online, Second Life has gained loads of media attention (including the front cover of Business Week) because of the diversity of participants and the dynamic economic activity that goes on in the game. There are an estimated 3,000 users who make at least $20,000 per year from businesses in Second Life and the company’s founder recently said that between seven and eight million US dollars in real money changes hands each month in the game. Investors in Linden Lab, the company behind Second Life, include Amazon’s Jeff Bezos, eBay founder Pierre Omidyar and Globespan Capital Partners.

Though this wasn’t the first time a virtual reality game has been hacked and user data has been put at risk, it’s notable because of the number of nontraditional gamers who participate in Second Life and the discourse around it in particular as a symbol of online life to come. The number of registered Second Life users has doubled over the last two months.