High Fidelity users just got an e-mail from Philip Rosedale, CEO and founder of the new social VR world, announcing this unwelcome news:
Recently, we determined that a High Fidelity staff email account was compromised. Based on an audit of our logs, it appears that the account was accessed by an unauthorized user in late December and again in early January. I’m contacting you today because this compromise may have exposed your email address and High Fidelity account username. Your password was not decodable from this information, and no payment or credit card information or history was accessed.
Full text of e-mail below, including steps the company is taking to protect their users. One of the key takeaways, Philip tells me, is "it underscores the importance of a correct long-term design for secure identity - something that I think we can lead the discussion on." As he points out in the e-mail:
Looking forward, this is an opportunity to touch on how important we think identity and the security of your identity will be in virtual worlds... It is our belief that as High Fidelity becomes widely used as a platform, we must design and implement identity systems which are decentralized, under the control of you (not us), and ideally impossible to breach through any single point of attack.
That's decentralized versus the centralized services like Facebook and Twitter that most of us use mostly every day -- and are seemingly breached every day. Anyway, full announcement below:
Recently, we determined that a High Fidelity staff email account was compromised. Based on an audit of our logs, it appears that the account was accessed by an unauthorized user in late December and again in early January. I’m contacting you today because this compromise may have exposed your email address and High Fidelity account username.
Your password was not decodable from this information, and no payment or credit card information or history was accessed. We internally use a 3rd party analytics package.
The compromised email account had access to this tool. The tool integrates with a copy of a database to allow us to track total hours of use, crash rates, and so on for users that opt to share that information.
Due to an oversight, the copy of the data that we use for analytics also included these emails and High Fidelity account names. We were able to confirm that the compromised account was able to access this user information through the analytics package. This information also included salted and hashed passwords. Salting and hashing creates an unreadable string based on your password.
Salted and hashed passwords cannot be used to access your High Fidelity account, and we have had no reports of High Fidelity accounts being accessed without authorization. However, it is the case that we have failed to hold in trust personal information you gave us when you signed up for High Fidelity.
I want to personally apologize for this failure.
In terms of what happens next: We are currently reviewing the security of all of our systems and adding additional security such as two-factor authentication to all our internal email accounts. As a precautionary measure, you might consider reviewing your email activity and particularly any emails you have received from High Fidelity. Please notify us if you see anything suspicious.
We very much hope you will continue using High Fidelity. However, if you wish to have your account deleted, please email [email protected] using the email address registered to the High Fidelity account you wish to delete to initiate this process. Please feel free to contact us at [email protected] with other questions about this matter.
Looking forward, this is an opportunity to touch on how important we think identity and the security of your identity will be in virtual worlds. In our alpha and beta stages we have taken the approach of storing user information in a traditional database. But, as this breach demonstrates, this is not a perfect solution, no matter how carefully designed and managed. It is our belief that as High Fidelity becomes widely used as a platform, we must design and implement identity systems which are decentralized, under the control of you (not us), and ideally impossible to breach through any single point of attack.
See you in-world, Philip Rosedale CEO, High Fidelity
(Emphasis mine, because it bears emphasizing.) Much thanks to Adrian Cutler for this tip!
Russians now feel they can get away with anything online.
Enjoy
Posted by: josey | Friday, January 27, 2017 at 07:14 AM
Considering high fidelity crashes 30 seconds after starting up, it isn't a problem.
Posted by: James Printer | Friday, January 27, 2017 at 08:06 AM
Although not directly stated it would appear the break-in artist possibly made off with the user account database. If this is the case other privileged structures where probably breached too. Was it simple theft or did it go deeper? A sophisticated attacker would disguise their movements and install several backdoors, so they can revisit. Of course, this can be a nightmare for the company involved. I am reminded what Stratfor when through after their meet up with members of Anonymous. The problem, however, is more interesting for HF because they plan to be an identity provider and a similar breach would take on much more serious proportions.
The ease with which even sophisticated identity safeguards can be defeated should give anyone trusting the public Internet pause.
Posted by: Argo Nurmi | Sunday, January 29, 2017 at 08:33 AM