Safeguarding Your Account…or You’ve Been Phished

On June 14, we posted about creating Strong Passwords. If you haven’t yet reconsidered your password, do it now. This will help reduce your risk of the subject of today’s post—being phished.

Phishers, as defined by wikipedia,

“attempt to fraudulently acquire sensitive information, such as usernames, passwords and credit card details, by masquerading as a trustworthy entity in an electronic communication. Phishing is typically carried out by email or instant messaging, and often directs users to give details at a website, although phone contact has been used as well.

How do you know if your account may be compromised?

  • If you can’t access your account
  • If you suddenly notice a reduced available balance on the payment source you have on file.

What should you do?

Contact us immediately!

Here are the steps:

  1. Login to your account.
    • Login to the Support Portal.
    • If you cannot log into your account, use our Guest Access Log In.
  2. Submit a Ticket
    • In the Ticket Type Field, select “Special Questions – Basic Account or Guest Login” from the drop down menu
    • Then select “ My account has been shut off and I don’t know why”
    • Fill in the rest of the fields as directed.
    • Copy the Tracking Number for your new ticket
    • You will receive an email containing your ticket information.
  3. Call the Fraud number: 800-860-6990

How will Linden Lab resolve your compromised account?

First, Linden Lab will place your account on hold, and investigate the relevant transactions. This may take a few days in some cases. Once we have finished the investigation, we will send you an email explaining our conclusion and explaining the action that will be taken with respect to your account. As a reminder, all transactions involving $L are subject to Linden’s Terms of Service (TOS)

[Update] Thanks for the comments–some needed clarifications. Here’s the connection between phishing and safeguarding your account, on two fronts.

  • Phishers rely on people using the same SL password on other sites. So, if a fraudster gets your password on a third-party site or through an email, they can go right to your SL account.
  • Message: Don’t re-use your SL password on other sites.

  • No Linden Lab employee will EVER ask for your password in-world.
  • Message: Do not give your password to ANYONE…a friend, a partner or a Linden.

    Other Resources to Help Safeguard Your Account

    Geeks.com
    Wikipedia
    Microsoft: Protect Yourself

    Know any other helpful anti-phishing sites and strategies? Help your fellow Residents and add your recommendations to the comments below.

    This entry was posted in Announcements & News, Community, Customer Service, Security. Bookmark the permalink.

    100 Responses to Safeguarding Your Account…or You’ve Been Phished

    1. Amanda Ascot says:

      Everette, you have to be aware that this recent harping on passwords and such has created a very strong suspicion among the residents that Linden Lab’s data base has been hacked — again. A number of residents have even voiced this fear here in blog threads, but I don’t recall seeing a Linden ever saying that this is not the case.

      So, definitively, will you state, as on official voice of Linden Lab, that the data base has not been compromised, subject to any possible legal repercussions of giving us misleading information with regards to this issue? If not, will you at least let us know that it *has* been hacked, or that you suspect that it may have been hacked, so as to send a clear message to everyone that they must, rather than merely should, take immediate action to safeguard their accounts?

    2. Ariadne Forcella says:

      Phishing has nothing to do with the strength of one’s password. As the definition states, phishing occurs when one enters his password into a fake login form. A strong password will not help you if you’re typing it into a form served off some dude’s home server.

      If phishing is a huge concern, a more appropriate piece of advice is to make sure that you are entering your login info on the official SL website (secondlife.com) and not anywhere else.

    3. Alph says:

      It’s a very good idea to remind people on a regular basis that it’s best for them to have strong passwords. But I do not think that phishing has anything to deal with strong or not strong paswords. Am I wrong?

    4. Alyx Stoklitsky says:

      Linden Lab’s database has been hacked. I know this to be true, I WITNESSED account theft just last month.

      The Lindens investigated it and even confirmed that the SL password was breached before the victim’s email account was, meaning that there is a way into LL’s database.

      Again.

      An act of utter piss-poor security on LL’s part is to have your login name the same as your avatar name. Total stupidity.

    5. onion says:

      yeah really. strongest password in the world won’t help if you fall prey to phishing. with all due respect everett… give it a think.

    6. WarKirby Magojiro says:

      Is it possible to get transactions undone.

      Say someone hijacks your account and spends 10,000 L$ on random stuff. Is it possible to get that back?

    7. Darien Caldwell says:

      Just because someone guessed a password doesn’t mean the database was hacked. I think thats the whole point of their posts. DONT USE PASSWORDS THAT ARE SO EASY, ANYONE CAN GUESS THEM!

    8. Anonymous says:

      It would not matter HOW strong our password is if it has been “phished” (as you GAVE them the information)..

      I am curious also why such detail to our passwords…

      as Amanda said;
      “So, definitively, will you state, as on official voice of Linden Lab, that the data base has not been compromised, subject to any possible legal repercussions of giving us misleading information with regards to this issue? If not, will you at least let us know that it *has* been hacked, or that you suspect that it may have been hacked, so as to send a clear message to everyone that they must, rather than merely should, take immediate action to safeguard their accounts?”

      Great point indeed…

    9. Anonymous says:

      Sorry; had to clairify this;
      You as in “you GAVE them the information” meaning the account holder 😉

    10. aluher rehula says:

      is it an idea that changing anything in your account, like password, e-mail buy and sell l$, is first confermed by an e-mail, so phising and stealing an accountis more difficult? just like the confermation-email you get when vreating your account?

    11. Artimis Slade says:

      HMMMM… I recieved an email purportedly from Linden Labs about a “login failure” that i had no recollection of having reported…but my security didnt allow access to the link so i happily went on to other things…RED FLAG??? or what? i assumed since my security blocked access that was the end of it….i have no illusions as to the extent of my naievetie…and just how tha hell do i check tha balance on my credit card??? And I HAVE done that whole “change your password” dance! know what? THIS AINT F—ING FUNNY

    12. “Last week, we posted about creating Strong Passwords. If you haven’t yet reconsidered your password, do it now. Otherwise, you risk being phished—someone steals your password and hijacks your account.”

      Thats a rather ignorant statement. No matter how strong your password it won’t protect you against Phishing. No matter how strong your password if you give it to a Phisher they have it. Strong passwords only help protect you against guessing and brute force hacking.

      The only defense against phishing is being alert and informed and knowing the source that is asking for your password is legitimate.

    13. Anonymous says:

      If i’m correct NO SOURCE (Hosting Provider, I.S.P, etc) should EVER ask for your passord…EVER!

    14. Lorna Volitant says:

      I have heard talk inworld of accounts being hacked and money being taken, and in some cases accounts being deleted as some form of vengeance or even a simple dislike of a person. I have no reason to doubt the sources of this information, although I have no first hand knowledge of this.
      Some people think paranoia is a negative state of mind, I disagree, since hearing these things i have bunkered myself and am very wary of the trust involved in friendships..sometimes it really is wiser to stay silent.

    15. I have three words concerning this….DON”T TRUST ANYONE!!! And that means your really best friend or even your SL Partner!

      In RL, I work at a facility where information over our Intranet is both vital and sensitive, and involves peoples privacy. Our passwords, whether we want it or not, are changed every 90 days. Our passwords MUST contain a number of parameters, or the computer that oversees the password changes tells you it does not meet our companies criteria and you need to add something and try again. Yeah, its a total pain….but, we rarely, if ever get hacked. We have also been taught, that in order to have a secure Password, our passwords MUST contain the following:

      – 6 or more letters, numbers, and symbols
      – Upper case and lower case should be used
      – Never use names or your SSN
      – When changing the previous PW, it should not be close to what you used before.

      So an example of what we need in our facility would look something like this (and no, its not even close to my PW’s!)

      45L3kab#1

      I never give my passwords to anyone, and if anyone dared ask me for it, I’d report them ASAP to Security…..

      So, if you have a problem, look to yourself, people, you either accepted some object in world, from someone you don’t know, which managed to get your password, or you inadvertantly told them somehow.

      And yes, I do suspect that someone, or someones, are and have been able to hack into the SL systems. So it maybe a pain in the buttocks to change your PW, but do it anyway for your peace of mind.

    16. Kooky Jetaime says:

      Agreed, You can have the strongest password in the world, such as mine: “5Ïæ´½½µF˜±¡ÉR&]9ÄÊtCW7†3KŠhœ‚,˜°ÍÝË{PÕ‹çÈ$Z«t}•¦©mî’I &çv>Д, but if someone is not smart enough to verify where they are putting it (which is what phishing preys on), it doesn’t matter, you might as well put in “12345”. You know you’ve done it with your luggage.

      I second the above statements, in the past couple months, there have been repeated “Change your password, Use Strong Password” blog entries. This is starting to sound like there has been a security breach with regards to the account database.

      Additionally, the way this entry is written, I assume that Everett Linden doesn’t have a clue what he is doing or talking about. Starting right with the first words out of his mouth, “Last week, we posted…” The last password blog entry was from June 14th, and I don’t know what calendar your looking at but that wasn’t last week. Or the week before last even. I’ll assume that he means “Last Month” or just has a really bad sense of time. Secondly, as mentioned before, Strong Passwords are not, nor have ever been, a defense against phishing. And shall we examine that topic? “Safeguarding Your Account…or You’ve Been Phished” More bad English, or is that a threat of some kind? (Yes, I know, I’m far from the worlds best writer, but still this is allegedly a key public relations channel from a company to its customers, lets try some basic proofing skills?)

      Now don’t get me wrong, I’m not only going to gripe about this poor blog entry, I’m going to offer a solution and advice for everyone.

      Password advise for the common person:
      1. You do not change your password every 30 days. Its been studied and found that if you use a strong password (lower case, caps, and numbers minimum intermixed, and if possible other non alphanumeric characters (“!@#$%^&*()-=_+[]\{}|;’:”?,./) of at least 8 characters, and nothing that would be found in a dictionary) and leave it unchanged for a longer period, you are safer than if you change it every month. Some companies are changing from 30-60 day forced password changes to 1 year changes as people are less likely to use strong passwords if they need to change (and memorize) a new one every month.

      2. Don’t use the same password on every site. I would suggest one password per site, but I know not everyone is going to follow that, but at least try to not use the same password more than a couple times. Also, if you are going to use the same password on multiple sites, I would suggest using them on similar styles of sites. Don’t use your Hotmail password on Secondlife. If someone acquires your Hotmail password (By chance its recorded on a friends computer when you check your mail there), they now have your SL Password and can access your bank account information.

      3. If you have too many passwords, I know I have at least 50, not including the 20 that I use in my home computer and home network alone, you are going to start and write them down, or keep them stored in your computer. I have used, and suggest a program called “KeePass.” (Open Source, Free, and available on Sourceforge, or simply google “KeePass”.) It works as a password “Bank” that can store all the various passwords you use, as well as including a generator that will let you create random strong passwords. The file is encrypted, using a Master Password (a strong one that only you know, don’t write down, don’t put anywhere except your head) AND / OR a Master Key File, that will open the “Bank.” You can use one, the other, or both. The file is useful as you can put it on a USB key that you keep with you, and can act as a physical means of protecting your passwords. (Must have USB Key & Master Password to open up the bank.)

      Ok.

      If any other security experts wish to add, or disagree with these statements, feel free. This is just what I have seen, and learned over the years. If you want more information on KeePass, feel free to contact me inworld. (I didn’t write it, so this isn’t a self-plug.)

    17. Aromadon Enoch says:

      It’s rather like when you start hearing that EBS test on the TV…. when you start having it 3 or 4 times a week, you can bet there is a reason. Likewise, when you get LL posting blogs about passwords and account security, you can bet there is a reason… the difference is, LL has already been breached, perhaps more than once, and all in the past month… you know, since everything went to Hell in a handbasket. But, the CYA mentallity is still running strong at LL, so no word to the paying customers… except these cryptic posts…

      You know that admonition to update your payment info, dumping PayPal and instead giving LL your CC info directly… Does that really sound like a very good idea in this light??’

      Sheep, meet wolves….. Wolves, sheep meat……….

    18. Bobo Decosta says:

      Don’t understand this post. This post is about pishing and it recommends me to create a strong password?? Well what can a stong password protect me against phising? To my knowledge phising is a technique to bypass strong passwords by letting someone think he is entering his or her strong password on a site that pretends to be the official site.

      To me the only thing that can prevent my account from being “phished” is that you change the method to change the password. I was very surprised to see how easy it is to steal my account. If you can phish me it’s very easy, just change the password. There is even no need for me to verify the password change by email and that i think is the lowest part of security ive seen on a site where it is so easy to empty someones bank account.

    19. Lozlo Peng says:

      hahaha, LL you think strong passwords is the way to stop phishing?

      To be phished you have have give information out 😐
      So whether your passwords strong or not, it has nothing to do with phishing

    20. Simon Nolan says:

      @ Amanda, it could be that LL is posting frequently about password security simply because residents continue to be careless and use easy-to-guess passwords. This could be an interesting applicaton of Hanlon’s Razor, “Never attribute to malice that which can be adequately explained by stupidity,” in this case, that of users, not LL.

      It wouldn’t hurt my feelings a bit if LL instituted a requirement for more secure passwords, as Sydona’s workplace requires. I’ve written webapps before and in them it’s pretty trivial to enforce some of those requirements, especially a mix of letters and numbers and minimum length.

      For those of you needing an object lesson about using insecure passwords, read this article on Wired about how a fan stalked Linkin Park’s lead singer, after easily guessing his email password.

    21. amun koba says:

      @2, you are correct. But they both belong in the category of “don’t be foolish about security”. The term “phishing” just means “fishing for information”, whatever you can get another person to say. A common example is one of those emails that tells you “you need to re-enter your personal information to confirm your identity” and gives you a link that looks like “www.somewellknownbank.com” but actually goes to (usually you can see this in a mouseover tooltip) “www.somewellknownbank.gobbledygook.thedomainitsreallygoingto.com” where there is a form for you to give your password to the phisher (who makes the form resemble a page from somewellknownbank.com). So in short, “phishing” means fooling people into giving away their passwords.

      How GOOD your password is applies in different situations – either someone who knows you or at least your avatar’s name guessing your password, or someone using software tools to try “brute force” methods to find passwords
      (such as trying every word in the dictionary, from a-z).

      A “weak” password is either short, eg “123” or a common word, or the same as a publicly available piece of information, eg First Name: “Fred”, Last Name: “McAvatar”, Password: “fredmcavatar”.

      A “strong” password is something either requiring a more exhaustive and thus much more time-consuming search, eg “X17hfgu?,J3y6ll” (because they’d have to be trying EVERY combination of characters to find such a password) or at least something which while somewhat easier for you to remember is still quite obscure, such as your dog’s mother’s maiden name spelled backwards, with an extra ‘q’ stuck in the middle.

      It IS standard practice (not that I’m implying anything about LL) to remind users of good password habits.

      And it’s normal to not get anything TOO definitive about security issues out of an organization. Due to lawyerly conservatism, “As far as we know there have been no security issues” is about as much reassurance you can expect, and you won’t hear any definite admissions of having been breached unless the public is going to find out anyway.

    22. Bobo Decosta says:

      @simon if this post was about insecure passwords you would have a point but this post is just nonsense. People who use insecure paswords don’t understand the concept of phishing so they are now provided by LL a false sense of security against pishing. If someone needs a lesson that will be for sure LL on this one.

      After reading this post i really feel stupid to trust linden labs to keep my sim and my balance safe. I used to think that i was the one that would make my account vulnerable or not. But LL just shows me they don’t even have a clue on how i should protect my account.

    23. Greta Umarov says:

      It would be nice to be able to LOG IN to the support portal, but I can’t. I can’t log into the guest login either. I get sent right back to the page where I just logged in!

      I’m tired of talking to volunteer mentors…they try to solve the problem, without any luck, instead of passing on my dilemma to Tech Services, like I ask them to. I can’t get a viable phone number either…I get the old one that says it’s no longer in service.

      All this, and I’m a premium member in good standing. HELLOOOOO? IS ANYONE WITH AUTHORITY OUT THERE? Please, I hope you read this and contact me. Because I can’t contact you at all. I might as well be standing in the middle of the Sahara desert, with no pc at all.

      HELP!

      Greta…who CANT USE THE SUPPORT PORTAL AT ALL!

    24. Tony says:

      This post is a little misleading, having a strong password won’t protect you from phishing. However having a strong password is good advice, it should however not be confused with protection from phishing.

    25. Pie Psaltery says:

      How’s about I try to rewrite the blog post so that it makes sense?:

      “Recently, we at Linden Labs have been hearing a lot of noise from residents about a bogus email that was sent out with our company name on it that directed people to change thier Second Life passwords via a link included in the email. This practice is known as Phishing, and is a way that your account can be compromised.
      To prevent your account from being phished, simply make it a practice to NEVER click on a link in an email as a way to change your password for ANY site. Instead, go directly to the website address you usually access your account from and check or make any changes to your account from there.
      Yadda yadda yadda etc etc etc….”

    26. not a thieve says:

      phishing and strong passwords are different.

      look at your ava like at your CC and all will be okay

    27. not a thieve says:

      i think its harder gesture where missing and not anymore shown as missing ( only in chat)

    28. Beezle Warburton says:

      Strong passwords won’t protect you from phishing. Phishing is a social engineering attack that gets you to give up your password (possibly along with other info) regardless of how strong it is.

    29. Chaz Longstaff says:

      The strength of a password has nothing to do with whether a victim has been compromised through phishing. Phishing is a technique that is used to get a victim to reveal his or her password, whether a weak password such as “password” or a strong one such as “198&^%$)(xyz&&”.

      Everett Linden, please clarify. Are you alerting people to tighten up their passwords, or to be alert to phishing? Granted, everyone should do both daily, along with 10 Hail Mary’s, but which one are you emphasizing in this particular instance?

    30. not a thieve says:

      my money only is stolen by SL not from one that got my password. SL turns the law

    31. martini says:

      The quality and “correctness” of recent blogs seems to be deteriorating.
      This here, which although it makes a good point about strong passwords, completely misses the point about handing out your pass to a fake site etc.

      That and the rather confusing graph the other day which really didn’t say much apart from, “we are falling behind more slowly than we did a while back”.

      I think you need to run some of these openers past other people before sticking them up?

      oh and the other one is having to frequently post in the comments…”Just to clarify my opening post”…..and sometimes the more annoying “Just to clarify my clarification” 😛

    32. Bekken Klaar says:

      2 or 3 days? ZOMFG! That is sooooo hilarious.

      My friend got phished like 5 months ago, and he STILL hasn’t gotten his account back. Some guy named Gary at the Linden offices assured him it would be quick when they chatted on the phone – but he’s still waiting.

      If any curious Lindens are reading, they guy’s name is: Aaron Onomatopoeia.

      We should all join together and demand he be set free! Cool guy and would give you the shirt off his back (in fact, I met him within 20 mins of being in SL, and he gave me tons of stuff).

      These people shouldn’t be punished! Give him and any other avi in prison an imediate pardon!

    33. everettlinden says:

      Thanks for the comments–some needed clarifications.

      Here’s the connection between phishing and safeguarding your account, on two fronts.

      1. Phishers rely on people using the same SL password on other sites. So, if a fraudster gets your password on a third-party site or through an email, they can go right to your SL account.

      Message: Use different passwords. Use strong passwords.

      2. No Linden employee will EVER ask for your password in-world.

      Message: Do not give your password to ANYONE…friend, partner, liason, Linden.

      Otherwise, use the strategies to prevent phishing as suggested by your fellow Residents and on other sites.

    34. Amanda Ascot says:

      @ Simon: I hate taking up a second slot in a restricted length thread, but I think your point needs to be addressed. First of all, we *know* that Linden Lab’s database was seriously compromised in the past. Fool me once, shame on you. Fool me twice shame on me. I think we have a right to assume the worst-case scenario, here, especially since, as has been pointed out, pfishing has nothing at all to do with secure passwords. I prefer to to use Occam’s Razor, rather than Hanon’s Razor. The simplest explanation is probably the correct one, and in this case, since, presumably, Linden Lab doesn’t *know* what our passwords are (the standard case for online services such as this), the simplest explanation is that the data base has been compromised. This harping about secure passwords is a recent phenemenon — since the data base compromise. If it had been an issue all along you’d think that technogeeks like the people who created Second Life would have been encouraging this all along, but to my knowledge there was nary a word about it until the damage had been done.

      I’m all for imposition of secure passwords on SL, as well as making our log-on names different from our avatar names. Indeed, I’m not even pleased that we have to supply our email address as part of posting here on the blog — that’s just one one piece of information that can be compromised and that has no apparant legitimate use by Linden Lab.

    35. I totally agree that everyone needs to better protect their account, but IF you’ve been PHISHED, most likely there is a KEYLOGGER that has been installed on your machine, and no matter what you change your PW to, the PHISHER will know it.

      IF you suspect someone has taken control of your account, right after you report it to the LINDEN personnel, you should immediately check your system to be sure no KEYLOGGING software has been installed. If you do NOT know how to do this, then get a good anti-virus solution and install it on your PC. Otherwise, you could always low-level format your HD and rebuild your system.

      Now, concerning seeing the TOS. Unless I’m mistaken, a FEDERAL JUDGE has already RULED the SL TOS to be NULL and VOID. Which is sort of interesting, since there is no standing TOS, I guess that means there are no rules. I don’t understand why LL’s legal eagles haven’t come up with a NEW and IMPROVED TOS, just remember friends, it can’t be slanted to give you an advantage in future court cases, like the judge ruled the current TOS is, and decided to toss it!

    36. Lina Pussycat says:

      Well its recommended to have a strong password. Just dont visit sites that ask for your direct SL password and never use your SL account password for other sites and the like….. Me i try to keep my password changed weekly or at bare minimum monthly. It doesnt worry me in the least to see LL posting this I’ve played things in the past where that is there constantly on the loading area or login and on the site….

    37. Lina Pussycat says:

      @28 only one clause of the TOS was considered nulled and thats the right to arbitration or some such….

    38. Vanessa says:

      Maybe LL could do some “practice what you teach”?

      Two weeks ago LL sent out a batch of emails informing people that they should update their payment information on the site.

      That email did not originate from @secondlife.com but from Vertical Response, a mass email company. Included in the email was a link that did *not* refer to the SL site but instead redirected to it from another domain entirely.

      It’s all well and good to warn people about phishing, but when LL communicates with its residents in the same way phisers do there isn’t much point to it.

    39. Har Fairweather says:

      “Only the Paranoid Survive”…

    40. Juliet Ceres says:

      And WHY should I give my personal information to LL or Integrity then? Only to have one more place where my data is stored and that can be broken in?

      Age Verification is INSANITY!

    41. TyrisFlare says:

      *hmm , Whatever it takes to improove LL Must move on*

    42. TyrisFlare says:

      * Amnd only succeed to the best of there! abilities*:)

    43. TyrisFlare says:

      *Good Luck LL* 🙂

    44. Alex Warrior says:

      G’day Everette

      I have recently had FIVE charges on two different credit cards with two different financial institutions in the last 20 days. These amounts add up to AUD $1900. They do not correspond to my billing cycles or land tier. My transaction history does not show any purchase of Linden that corresponds to these dates, either in my US account history or my Linden history. I have contacted my banks and disputed these amounts.

      I have a strong password. It’s a password not used any where else. I have never given my password out to ANY person or site, other than when I log into the secondlife.com site.

      I have submitted a ticket, I have had no email response for three days.

      You ask “How do you know if your account may be compromised?”

      And then state “If you can’t access your account [or] If you suddenly notice a reduced available balance on the payment source you have on file.”

      Well I have a reduced balance on my current payment source and my OLD payment source.

      I am following all the procedures, but seeing this blog three days after my support ticket is submitted with no email response is really concerning.

      Worried
      Alex Warrior

    45. Alyx Stoklitsky says:

      Darien Caldwell:

      “Just because someone guessed a password doesn’t mean the database was hacked. I think thats the whole point of their posts. DONT USE PASSWORDS THAT ARE SO EASY, ANYONE CAN GUESS THEM!”

      The password was a string of random letters and numbers.

    46. Wyald Woolley says:

      From previous blog responses by various citizens, I’ve come to be concerned that if I should go into my account and change ANYTHING there is a high probability that this simple act will cause LL to tilt on its axis and lock me out of my account for an indeterminable length of time.

      ALSO:

      AirheadLinden wrote:
      Here are the steps:

      1. Login to your account. (Makes sense with a normal service provider)

      (There then follows a mis-numbered jumble of disconnected steps that somehow makes up step two)

      3. Call the Fraud number: 800-860-6990 ( Why don’t we just start here instead of going through the process above where it only results in a form e-mail that says: “We will look into it”…end of story)

    47. Amaya Nagy says:

      It is interesting to see how often you see the Warning of “Change Passwords” or “Use Strong Passwords” are around here in the last Days and Months. Seriously, everyone would get suspicious about that. So there have been Posts about a Security Breach which wouldnt suprise me. There is no Security and no System that cant be breached, 1-2 Years back everyone said that a Router (you know the little black box thingy for your intarweb) is unbreachable and the best in Security…Wrong! It can be breached and if you have seen how easy that is you will understand that something like “completely save” isnt possible, well ok it would be, no Internet Connection and your Computer is the safest in the World. I dont mean directly a specific Person in the Blog with that, just general. Well back to the Point. Use a Password that only you know and only you will ever come to, i used for the last 4 Years on several “important” Accounts Passwords which have never been breached because you cant actually guess them or even type them if you knew what it is unless you can copy it, which is also possible yet not that often used actually.

      So looking back, if you are save about your Password, dont change it. If you arent, change it, write it down somewhere on Paper and hide it there only you will find it, in case you have Brother/Sister who like to use the Computer. Never save it anywhere on your Computer because of Trojans and Keyloggers. Dont, i repeat dont accept Inventory in SL unless you know exactly what it is and where it comes from, if you arent sure about your Friend being honest with you, decline it. Never follow Links with any Number to any Site that is in Connection with SL and or a Site that is conntected to SL Websites and/or Services (Hard to believe but i got a Notecard once of someone wanting me to give him an Authorization with a Link to SL Homepage with a Code to change a Password to his Will.). If you follow these Steps you are more or less secure as to your Password. Add to that Firewalls, Router and everything else you can and it will be at least really hard to get it. One last Hint, never under no circumsstances will someone of a Company, be it LindenLabs, your Internet Provider or anything else ask your Password or any other personal Information. Sites that Offer Services but require a Password from you will to a chance of 99% Cheat on you and you will lose your Account and possibly everything that stands in Relation to that.

    48. Ann Otoole says:

      recommend use of gift cards for payment info. that way if someone does penetrate the database to find CC info stored in the clear then there is a limit on the immediate damages.

      then you can go buy a new one and dispute the 20 bucks or whatever got ripped off. only problem is if that 20 bucks was used with Linden research. If you dispute that charge your account will probably be frozen until the reversal is reversed. thus even more reason to use small gift cards and use the balance up. only put in a new gift card when you need to spend money and use it all up when you do.

      i know not everyone has this option available. i wish everyone had access to this technique. it is very effective at limiting your personal liabilities. if it is available then you might consider checking it out.

      i use this technique for *all* online purchases now.

    49. Rob A says:

      So…seriously…when will you stop with the breaking of your own software? Now I can’t even auto-update you freakin’ twits…just sell your damn company to someone competent already.

    50. ks says:

      So let me get this straight- we are supposed to file a support ticket and in around 30 days we MIGHT get resolution on possible theft of our account. I’m sorry but I have *no* faith in your support portal anymore….

    51. Adrian Zobel says:

      I think the biggest problem is that people can get into your account even without guessing your password. As long as they know the name of a few of your friends, or know what sim is your home region they can go to the website and have your password changed to whatever they want in seconds — without your approval! This reads to me more like an attempt to blame the victims, accusing them of giving out their password when they didn’t. But I’m just suspicious like that.

      I’ve been reading about it at, for instance: http://www.vintfalken.com/may-i-change-your-second-life-password/

    52. TigroSpottystripes Katsu says:

      did I got here int ime to post?

      anyway, my tip regarding secure passwords woudl be using PasswordMaker (google for it), it is a program/applet/firefox extension (and perhaps some other variations exist as well) that generate unique passwords based on site’s urls and a bunch of parameters you can set in it (so not only the atacker will need to get your master password but they will need to know all the parameters you’ve set to be able to generate your password again, and since the password is either copy/pasted or automaticly filled on the pages by the ff extension keyloggers will also not be very effective, and if you use it to try to log on a fishing site the password generated will not match the password for the real service since the url isn’t the same, also even if one site’s password gets compromised it won’t be useable on other sites, you will only have to remember a master password and the parameters (mainly if you want to log from elsewhere or you don’t want it to store stuff on your own computer or if you use the applet I think) and there are probably several other benefits about it that I’m not remembering/thinking of right now

      ps: the online applet version run only on your own browser they don’t get any data about it when you use the applet

    53. Sorry to be an alarmist but 2 (yes 2!) residents I know have had their CC#s stolen…one being my RL boyfriend who only used that card for SL. He has since quit the game and recently let me know about what had happened. I am seriously considering removing any/all payment information from my account as I suspect there’s a lot more to this password business than is being explained.

    54. Vint says:

      And I want to add the story of PingPing Zhaoying who also recently saw his CC balance being charged for LS he did not buy who were transfered immediatly to other avatars. He notified SL, and got only one IM reply: ‘we have security issues’. 9 days later, his account was terminated. It’s still not reinstated.

      The story here:
      http://www.vintfalken.com/pingping-murdered-for-a-crime-he-did-not-commit/

    55. Rinaldo Debevec says:

      What a bunch of whiners and complainers! Second Life is great. Linden Lab is great. They send out a standard message reminding people to use strong passwords along with advice about how to spot potential problems with your account. Sound advice if you ask me. And unlike any other entity I’ve ever dealt with, they ask their members to comment on procedures/methods that users can follow to make their accounts more secure. I found some good advice in these postings! Keep up the good (great!) work Lindens! P.S. My 2 cents worth: I LIKE the idea of login name and in-world name being the same … makes it just like real-life. All my RL accounts are based on my real name, and I don’t worry about it.

    56. The Baron says:

      I have now stopped using passwords entirely.

    57. TigroSpottystripes Katsu says:

      oh, and if you are worried about fforgetting the parameters and don’t want them to be stored, you could do somthiung like making rules obvoius to you to choose each parameter (somthing like this one is the only option that resembles the name of my pet, or use the numbers, then the alphabet as they are on the keyboard, or this one is the weirdest one) or some other memory techiniques (or perhaps write on your cell phone , on your wallet or anythign you usually take with you wherever you go the parameters in a made up code that will not be obvoius to anyone besides you or somthing like that

    58. TigroSpottystripes Katsu says:

      btw LL, if there is anything we resis should know to take any measures to assure our interests (like safety, money and well being related stuff) regardless of the hit on your public image or the panic generated, I think it would be wiser to let us know now instead of being blamed later on when the s**t hits the fan….plz?

    59. Brett Finsbury says:

      great advice Ann. the other worry is logging in and finding your land was all sold or transfered.
      One nice thing about some credit cards is that if you report a fraudulent transaction within 30 days they usually will pull the funds back. Wonder how that will work with LL if they suddenly do that?
      Any answer to this Everett?

    60. Alex Warrior says:

      I should also just state, don’t be alarmist, I believe my situation is more than likely internal billing errors by Second Life.

      Cheers
      Alex

    61. Good to hear that Alex…but I am not so sure based on what is also being reported in the forums…

      Hope you’re right though 🙂

    62. nail stonewall says:

      the one thing i dont understand about the set up here for cc is on most sites that ive been on you need verify your 3 didgit security code beforeany transactions are put thru, with sl its just asked once at the time of set up and thats it ,so it makes it possible for hackers to also empty your cc as well as your linden balance.
      just seems a simple step to reduce large loses

    63. Simon Nolan says:

      @ Bobo: Agreed, this post does confuse the two issues. Understanding phishing and keeping a good password are just two parts of protecting your account.

      @ Amanda: “I think we have a right to assume the worst-case scenario…” Um, that “assume” part worries me. I’m also a believer in Occam’s Razor. I think in this case, posting frequently about password security because people continue to use bad passwords is a much simpler explanation than a conspiracy by LL to hide another security breach.

      It should be noted that 34 states, including California, have laws requiring businesses to notify customers of security breaches involving their personal data. It seems to me that legally, LL cannot just putter along as if nothing has happened, only posting occasionally about maintaining account security, if a breach had occurred.

      @ Ann: Your idea of using gift cards is one I recommend to friends who are unsure about doing any business online. Having been a victim of identity theft myself, it’s something I consider whenever I buy online. Definitely a good way to limit your risk online.

      @ The Baron: LOL! They’ll never guess your password if you don’t use one, huh?!

    64. huni says:

      What use is submitting a ticket, My account was stolen TWO WEEKS ago, I have contacted you numorous times and NOTHING.

      They have stolen nearly a thousand pounds on my card roughly 2000 dollars, I never ever give my password out in game or on websites other than sl website.

      And like i can afford to keep calling america to chase this up, they have already taken enough.

    65. Aromadon Enoch says:

      I saw mentioned in one of the posts above the new “SL Mentors”. I have a word of caution regarding those, too, and it goes along with the level of care LL uses in dealing with customers…

      My last day in SL, before I was just too frustrated to fight it anymore and said ENOUGH, I was being griefed (as usual) in the Morris Sandbox by an av created that day, but posessing an impressive arsenal of weapons, including a psiTech with which he was caging and “burning” everyone in the sandbox. Several people were yelling at him to knock it off and attempting to use their own defenses and weapons against him when who should show up but a newly minted Linden Mentor. He immediately began telling the people being abused to “be quiet” and “let him handle it”… the problem with this was… this SAME av had been my FIRST experience in SL with a GRIEFER! My first day, this VERY person had shot me, caged me, flung me into the sky several million miles and, in general, been just as big a prig as the the current guy…. yet he was able to become a Linden Mentor???

      What are their standards? How do the screen? How can you know WHO has access to WHAT if this person could become a mentor? Ok, I know Mentors don’t have access to passwords, etc… that’s not what I’m saying…. I’m saying, if LL is so lax as to allow a know (and yes, I reported him and got a “We’ve taken care of it” response) griefer to become a Mentor, can we have any confidence in who may be working within their physical walls either?

      I mis SL…. I don’t miss all the BS

      Sheep, meet wolves…. Wolves, sheep meat…….

    66. Wisdom First says:

      RE: Credit Theft Issues

      1) Use Discover or another Mastercard service that generates a new and unique credit card number for each individual online purchase. (Pay Pal has a new one out, and it is NICE!)

      2) DELETE the SL credit card information on file immediately after ANY use.

      (Enter a new uniquely generated card # immediately before any SL or LL purchase… wait about 15 minutes for the card to be verified, then make your purchase, then DELETE the CC info.)

      3) Enter a NEW one each month on billing and tier day.

      4) Remove the monthly payment method entry as soon as your tier and monthly fee has been debited. (This is easy, as you get an email receipt from the credit card company.)

      ADVANTAGES:

      You get to use a new unique number for each purchase.

      The CC information is automatically void at any other time.

      The credit card company’s computers keep track of your account, and although the number is immediately recognized as you, it cannot be used twice.

      Simple, end of problem.

      Sincerely, Wisdom First

    67. Neural says:

      @51 Simon: You are assuming that because it is law, that all companies obey said law.

    68. Cocomo Munro says:

      I thinbk this has happened to a friend of mine in world…poor guy… i feel for those who have been victims of this type of “identity theft”

    69. Folks, there are scriptkiddies all over the ‘net who run automated programs working all day & night trying to “guess” passwords into paysites — one guess at a time. Considering the money that can be made from an SL account, I naturally *assume* (& you should too) that scriptkiddies are constantly glomming the SL login page running their little password-guessing programs. The recent reminders from SL don’t necessarily mean the site’s been “hacked” en masse. I think it just means that if you have a dopey password, SL is trying to get you to wise up before some lucky jerk makes it into your account!

    70. Ann Otoole says:

      don’t forget to wipe/fdisk your hard drive and reinstall windows at least twice yearly to get rid of the bots that have never been discovered by the anti virus companies. doesn’t matter how often you change your password if every password you enter anywhere is safely stored and later retrieved by the botmasters.

      not to mention the huge performance boost a fresh install of windows usually brings with it lol.

    71. Magi Merlin says:

      Alex@37:

      G’Day Mate,

      I am in almost exactly the same situation as you, except I have been waiting just a little longer for a meaningful response from LL (about 10 days now) and I only appear to have been stung for around $1000 AUD but I need to do a complete audit of everything to be sure. Good luck getting it resolved!

      It is good to see there is a fraud number to call – I wish i knew about it before. perhaps it could be made a little easier to find.

      BEWARE THE PHISHERS OF AVATARS

      Magi.

    72. AWM Mars says:

      With a lot of ‘Fansites’ that require you use your SL ‘name’, many ppls use their same password, that is not uncommon with online games and is probably how so many accounts get hacked. Not because LL have been sloppy, but because the other sites have no real need, or ability, to protect this information to the same degree.

    73. Matthew Dowd says:

      Well, there has been a number of reports about an e-mail originating from vresp.com claiming to be from LL which had all the hallmarks of a phishing e-mail as described in the links from this blog (coming from an e-mail other than LL, included a link to a website other than LL – which redirected but who knows what scripts it installed first, implied not responding to the e-mail would result in the account being suspended etc.)

      Opinion on the forums seemed to suggest it was legitimate, but for this blog to appear so soon after those e-mails were reported suggests that it was bogus after all!

    74. milissa rossini says:

      My account have not been hacked but still frozen. The reason is I am fool to ask fix my visa info and forum login problem (old trouble that never get fixed). I reread the ticket log and said issued has been solved about a hour later. When I logined in, I still have the old problem. I inspected the problem and tried to update info. After then, they frozen my account. I can only login their web but can never read my info and login in SL. My second ticket issued 24 hour ago. But it is still pending and no e-mail confirmation for whatsoever. I’ve been completely block from SL and my friend. I am disappointed from the first date of my joining premium, very regret. Is my problem somehow have connecting to phishing? The system got mixed up the matter!?

    75. Magi Merlin says:

      Hmmmmmm I finally got my response – LL locked out my account !!! GRRRRR

      Now I can’t even log-in to see my transaction history in order to audit what has transpired – THANKS VERY BLOODY MUCH!!! 😦

    76. Magi Merlin says:

      Attempted Step 3….
      “3. Call the Fraud number: 800-860-6990 ( Why don’t we just start here instead of going through the process above where it only results in a form e-mail that says: “We will look into it”…end of story)”

      Result:
      GREAT – Another pheakin’ phone robot – Its only manned 9-6 Monday to Friday US Time! Whats the bet there is no one there today??

      So much for being able to nip the problem in the bud!!!

      AAARRRRRGGGGGGHHHHHHHHHHHH!!!!!

    77. Deira Llanfair says:

      One problem preventative tip I have been given is not to access the internet when logged on to your computer with administrator rights. Using the internet when you are logged on with low priviledges can prevent malicious software from installing itself. (Just my two-ha’porth.)

    78. milissa rossini says:

      I joined their premium since 9 June 2007. I think it will be game over. This amount to they steal my 256M land and estimated 35000L money (3000L in SLexchange, 15000 spent, and 1000L cash in account plus whole year stipends). I am being suffered from the first day joined their premium. This is whose fault?

    79. Raul Crimson says:

      Everett, even i can understand some people can share the password with other sites, or tell it to a partner or a friend, i’m sure most people is enough smart to not do this.
      This post makes me suspect you have security issues (not for the first time) and is your way to say “Sorry if you are phished, is not our fault”. I’d really love to see you say “Dear residents, Linden Labs has not security issues, your account is safe with us.” But if Linden Labs sometimes can’t take care of our data (inventory) not sure if can take care of all our personal information.

    80. Ailik Ulich says:

      Password has been and always will be $=r0n.g for every account I have anywhere including my own computer login (12 yrs experience)

      Phising? Can’t catch this phish…try!

      ~@

    81. Hanumi Takakura says:

      Well. Protecting a SL password is an effort of both of LL and the user. From LL’s part, they should make sure their database is secure. And also, even them can fall victim of phising. They’re humans after all and commit mistakes. From the user side, of course,the usual. Never give your password to anyone, not even trusted sources. period.

    82. Lyloo Lilliehook (Real name C. Soudais) says:

      HELP HELP HELP !!!
      Since today morning (it’s almost 5 PM here now)I cannot log in anywhere on second life, not on the game, not on my account on second life’s website, not on the support page (wanted to submit a ticket to solve this issue, but it’s not possible), here is the one and only page wich will let me in. When I try to log in it tells me : Unable to connect to second life, the system may be down , please try again in a few minutes…
      I don’t think my account could have been phished as I use a 12 character password including lower letters, caps and numbers, moreover that this password is 3DES protected, and I don’t use the same on any other site.
      The optional wiewer is also downloaded since the day it came out so it’s not a version question.
      I know this is not the place to ask for help, but I would be glad if someone told me how I can do, knowing that I can’t access anything related to second life (I have to precise that I can access the web, so it’s not my connection who’s not working), and that I can’t phone to international.
      I pray for some of the Lindens to read this page and maybe answer me if they’ve some time available!!
      Thanks so much in advance for any idea!

    83. Lyloo Lilliehook (Real name C. Soudais) says:

      Oh, and I forgot to add that when I try to log in my account (clicking on “resident login”)on Second life’s website, or at the support page or the forums, it doesn’t tell me my password is not correct or such things ; it’s just showing a “server not found -unable to display page” (I don’t know really how it displays in english but translated it’s more or less that, lol)
      I did do any anti crap I have : AV, anti spyware, anti rootkit anti everything with no positive result …

    84. Rob Adelaide says:

      Ha! Is that like the Dr. Strangelove title?
      I think it was…
      “Dr. Strangelove or How I Learned to Stop Worrying and Love The Bomb”

    85. Io Auer says:

      Unless its posible for an AVIE to run on its own, Im being “pished” Right now. Im looking at myself on my neighbours PC I hope my nice rental and my 3 humble stores will still be there when I get my AVIE back :-(((

    86. pantaiputih korobase says:

      sorry, i do not dare to change anything in SL anymore

    87. Simon Nolan says:

      @53 Neural, so, are you and others asserting that LL has had another breach, and that they’re hiding it from us? Are you saying that LL is being malicious and evil, not telling us our accounts have been cracked?

    88. Jessica Elytis says:

      I DID submit a Support Ticket over a possible phishing scheme due to posted threads on the official SL Forums. This was OVER A WEEK AGO. Guess what? The Ticket is still open with NO RESPONSE. Ticket number 4051-4210381 if you actually care.

      Yeah, great way for LL to handle possible phishing problems. You won’t even acknowledge the questions of the Community, let alone answer them.

      ~Jessy

    89. pantaiputih korobase says:

      Lindens, buy hardware, get proper servers

    90. Digital Digital says:

      The fraud phone number is pathetic, I did a test call to it just to see if it works and the 10 times I tried calling it I get a message stating to try calling back in a few minutes. What a joke.

    91. TigroSpottystripes Katsu says:

      are you people that claim to be revealing your passwords for real? isn’t that admiting to LL that you broke one of rules? (there is somthing like “you can’t share your account with anyone” or somthing like that, isn’t it?)

    92. luke dunlin says:

      i cant seem to log in to my account,even thow i opened it 20 mins ago.it is very frustrating…..plz could you help?

    93. I refrained from posting earlier …but its all coincedental that my credit card got ‘nicked’ less than a week after registering on the site .. luckily my CC company noticed and repaid all the bogus flight tickets / top up phone card bills …..

      but I’m not the only AV beginning with ‘A’ that this has happened too .. I know of 2 others … so just as a warning .. check all your latest credit card statements for any dodgy purchases…

      Adec

    94. Carsten says:

      I am sorry if I step on someone toes but this whole blog entry appears to me to be of the “we told you to type” in case accounts get tampered with – by whatever means.
      It is to provide a fast exit for Linden in case something DOES happen to the accounts.

      There is NO WAY for us to verify whether an account has been hacked on the Linden servers or on the user side, so this is pure speculation and (unfortunately) leaves us having to rely on Linden lab’s statements *sigh*.

      Everett, please go back to the drawing board and compose a sensible NOT MISLEADING blog entry that is NOT MIXING UP MATTERS.

      As the ‘strong password’ topic still bears importance to the overall security aspect of Sl, let me comment on this part.
      I am not going to repeat the listing of flaws and contextual errors but AM going to respond to some “self acclaimed” security experts.
      Who ever call him/herself such and states bull**** like “your password should be at least 6 (or in another case 8) characters long doesn’t sh*t from shine-all !
      It will take me anything in between a few minutes or VERY FEW hours to hack such a password either by dictionary or brute-force attacks.
      A safe password should cohere with the following requirements:

      – NO WORDS, NAMES or PHRASES
      – MIXED upper and lower case characters
      – COMBINATION of Numbers, Letters and Special Characters(if the software supports the choice of non ASCI characters, things like ‘#@ÇÑ etc’ do help a lot)

      – THE LONGER THE BETTER !!!!!!!
      Even a password with 15 characters if consisting of only numbers and letters is to be considered MEDIOCRE in safety standards.

      Your best bet will be to use a password manager that will create, store and enter (without having to type it – hence bypassing possible key-loggers) passwords.
      I use such software (there are many out on the market . both free- and payware) in combination with a key file sotred on a USB stick with fingerprint reader.
      The whole setup works with ALL passwords and programs I use and it did cost me less than 50$.
      Not only does this solve a lot of safety issues but also clears your ‘brain’s cache’ by avoiding the need to remember any passwords.

      PHISHING solely relies on the individual user’s STUPIDITY.
      Anyone responding to emails requesting user names or passwords or SITES that want this information at THIS DAY AND AGE does not deserve any better than having to pay some extra $$$ as a ‘stupidity bonus’. How many e-mails from your bank, e-bay or paypal have we ALL received during the last months alerting us about this problem and offering solutions. If you haven’t got the message yet (unless you bought the first PC in your life today to play SL) you will never get it, so please stop whining and complaining.

      Carsten
      (a non hacked, phished or otherwise tampered with SL user)

    95. Ian says:

      my bank told me yesterday that LL’s credit card records had been broken into and that they were intercepting transactions involving them.

    96. Troy says:

      I run my own site which has user data base. even as the webmaster i cant look up passwords on mysite. the site code used encrupts the passwords. so if they forget we cant resend them the current password it resets to a new password and send it to the email on file.

      Thats mainly all i can do as a webmaster is enter a new password. i cant look at one they set and attempt to use it on there email provider.

      And yes i think Linden Labs is useing a diffrent form of userdata base set up which is poor and lacks safty. and you tell people like in this post to not use a password from another site on your SL accounts. im sure a good 85% of the users do that. they only wanna remeber one code not make up another so they have to worry about remebering it.

      With all this crazyness of Linden Labs Being sued, policy changes, fees incressing (sim prices), People wineing like little babys cuz they see someone in a child av and start jugeing them cuz there in this area or that area or they see them doing this or that.

      I seem to recall the site saying on the home page. “Your World. Your Imagination.” yeah right not anymore. i been playing this over a year and as things are today i would say to hell with these other new features if i could give them up to have the SL life around when i joined i would do it. things where more simple and you didnt have to worry much about what you do. cant even play a migit without worry. lol

    97. Kristyn Muir says:

      I keep wondering about those of you that keep asking if the data base has been hacked. If it had been it wouldnt matter if you had the strongest password in the universe now would it? nor would it matter if you had been phished and gave it to someone pretending to be a linden….

      However, I imagine when someone goes to the linden’s saying their pass has been hacked and 1000’s of L$’s have been stolen it must be a time consuming headache to track it down (although, I suppose there is a ip log) and check it out to see if its legit or not, so it’s probably easier for them to just remind people. I’e sure there are plenty of people using silly passwords so they can easily remember them that anyone could figure out, once theyve gotten to know them.

      Kris

    98. JJ Rotunno says:

      Tell me if i’m wrong but if you buy lindens for the month then delete payment info, arent you secure?

      OK so you’ve got a big lump sum to deal with so best to rotate your outgoings so they all fall in 1 day or close to that but for a month of security, worth the hassle right? DO IT DO IT

    99. Alberta Sautereau says:

      Hello!
      I try to log in for last 2 weeks but i cant.I have submited 3 tickets but…
      If I try to conect with another avatar …all is ok.But I wish to use my old account.Can you help me pls?

    100. Magi Merlin says:

      I have just received email proporting to be from Linden labs but on closer inspection it was actually transmitted from a firm called VerticalResponse Inc. and they were phinging for billing information.

      So be aware, there are imposters everywhere!

      Having recently been the victim of significant phantom billings in SecondLife I implore you all to be on your guard.

      Mag

    Comments are closed.