The new home for the IMVU Community is help.imvu.com. For more information, check out this article.

Further details regarding Data Breach
Goto page 1, 2, 3 ... 20, 21, 22  Next
 
Post new topic   Reply to topic    IMVU Forum Index -> Older IMVU News, Announcements and Release Notes
View previous topic :: View next topic  
Author Message
Varsha 18+ Age Verified

Varsha <a href='/age_verify/index/'><img src='/common/img/icons/age_verified_35x18.gif' width='35' height='18' alt='18+ Age Verified'/></a> 's page


Joined: 01 Feb 2010
Posts: 11465
Location: USA

PostPosted: Sat Sep 12, 2015 2:37 pm    Post subject: Further details regarding Data Breach Reply with quote

As per Brett’s post, we have been working around the clock for the past 2 days to address the user data breach issues from the malicious hack on 9/9 and feel we have a solid understanding about what data was or was not breached. Our investigation continues. However, we also felt the need to communicate to our customers at this early stage and with the best information we currently have. If we determine that any additional and important information comes to light as part of our ongoing work, we will update you at that time.

Here are the details that we know as of now regarding the malicious hacker attack against IMVU and the data breach.

Complete list of the data fields that could be accessed by the hacker (for accounts that registered in 2008 or before):

-- Avatar name and unique id: This information is accessible to people using IMVU. Avatar name is chosen by users and unique ID is assigned by our systems.
-- Password hash: this is the result of encrypting a password with a cryptographic hash function. A deeper understanding of password hashes and risk is provided in the “Information About Password Hash” section, below.
-- Email: this is the email address associated with the account
-- Gender: The avatar gender associated with the account based on the outfit chosen at account set up
-- Name: First name and last name if provided at registration
-- Referrer: If any, other IMVU account that referred this account
-- Lookset: The outfit chosen during account set up
-- DOB: The date of birth provided at registration
-- Country and state: self-identified country and state
-- Credits and Promotional Credits balance
-- Scam artist flag: this is a flag indicating action was taken against an account for certain types of TOS violations
-- IP address: IP address at the time of registration
-- AP: if account has Access Pass
--Various fields that are inactive or control simple preferences (is admin, wants mail, subcategory pref, help pref, disabled account flag, survey flag, first conversation indicator, visibility pref, last message read date, reward email date, inventory regeneration date, invite email flag, “try it” pass flag, hide help pref, newsletter pref).

It is important to note that customer information in the database accessed is user-provided and not verified. Also, many accounts from the registration range we believe is impacted are inactive or disabled.

What was NOT accessible:

To reiterate on Brett’s post,we found no evidence that information usually associated with financial risk or identity theft was accessed as part of this breach.

So, in particular, the user data that appears at risk to access in this breach did NOT include::

--Payment & billing information: if the customer had purchased anything on IMVU
--Physical addresses in situations where they are collected i.e. credit card orders
--Tax information or social security number
--Information about products purchased, created, or sold
--Content of interest panels, friend lists, photo albums, outfits, chats, messages, pulse, help tickets etc
--Earn Money program related documents or information (applicable to Creators in the program)

Information about Password Hash:

Here is some more information about “password hash” so customers can understand the risk. While a hash is one-way (you can’t extract the password from it), it is possible to confirm if a password matches by using the hashing function on a password attempt to see if the resulting hash matches (this is “brute force” and is not an efficient method of getting passwords). Also, for weaker hash functions, it is possible to generate passwords that are very different but result in the same hash.

In 2004 the hash function we used was consistent with industry practices at that time. About 2 years ago we further updated the hash function to be significantly stronger, so anybody that created an account or logged-in during the last 2 years has an updated hash that is much stronger and consistent with current best practices (we could not convert old hashes to the stronger hash because we don’t keep a copy of actual passwords anywhere and you need the actual password to generate the hash).

Based on our understanding of the data accessed, anybody that registered during 2008 or earlier and has not logged-in during the last 2 years has a hash that is weaker and more vulnerable to being exploited. We automatically retire accounts that have been inactive for 2 years, so most of the weaker hashes should be associated with retired or disabled accounts, limiting the value of accessing the account.


Last edited by Varsha 18+ Age Verified on Sun Sep 20, 2015 10:16 am; edited 4 times in total
Back to top
View user's profile Send private message  
Varsha 18+ Age Verified

Varsha <a href='/age_verify/index/'><img src='/common/img/icons/age_verified_35x18.gif' width='35' height='18' alt='18+ Age Verified'/></a> 's page


Joined: 01 Feb 2010
Posts: 11465
Location: USA

PostPosted: Sat Sep 12, 2015 2:40 pm    Post subject: Reply with quote

FAQs:

I registered after 2008, do I have to change my password?

As a precaution, we recommend that you do so. As always, ensure your password is hard to guess, unique to IMVU (i.e. not used on other sites), and never shared with anyone (including IMVU staff).

How do I change my password?

**Log into your IMVU account
**Go to: https://secure.imvu.com/account/change_password/
**Follow the steps on that page including the ad-based captcha
**If you have an ad blocker, please turn it off temporarily do do so.

Did the hacker get access to my payment information or information I provided when I bought AP?

Our investigation indicates no. Such information is not stored in the databases that we believe were accessed. Our confidence is increased by the fact that the most sensitive payment and credit card information is not stored on IMVU’s servers.

I submitted my personal information for the Earn Money program, is it secure?

Our investigation indicates yes. That information is secured in a completely separate system outside of the database that was accessed by the hacker.

Does the hacker have actual passwords for affected accounts?

No. What they potentially have is a way to possibly generate an identical password or a different (but valid) password, especially if the password is weak and easy to guess via brute force.

Is the data accessed current information associated with the account?

Yes. If an account set up in 2008 or before has changed its email address for example, then it will be the current email address associated with that account.

Will I receive a notification if my account has been affected?

We will send a message to all active customers with accounts for which we believe the data was accessed.

Why are you not sending a message to everyone?

Based on the records contained in the partial copy of the database we believe was accessed by the malicious hacker, less than 15% of all IMVU accounts had data involved in the breach and, since those accounts are 7-11 years old, most of those accounts are retired or inactive. We believe the information in that database is of minimal risk, and the authorities and security experts we have been working with agree. Although most of our customers do not appear to have had any user data exposed in the breach, we are electing to be transparent and communicate more broadly.

What should I do to ensure my account is safe?

1) We recommend you change the password to your IMVU account - make sure it is a hard to guess password and unique to IMVU.

2) If you receive any email/message seemingly from IMVU but asking for your password - ignore. IMVU, its staff, or its Customer Support team will never ask for your account password.

3) Continue to enjoy IMVU never sharing your password with anyone and not clicking on non-IMVU links offering free stuff.

Can I get exact/further details about current security and monitoring systems deployed by IMVU?

No. Such information will not be shared for obvious reasons. Rest assured, IMVU has and always will make sure we have the best systems and processes in place to ensure our customer data is safe. It is these systems that allowed us to detect and stop the malicious hacker activity as well as not allow access to payment information etc.


Last edited by Varsha 18+ Age Verified on Sun Sep 13, 2015 7:04 pm; edited 5 times in total
Back to top
View user's profile Send private message  
Abram VIP Club Member 18+ Age Verified
Moderator
Abram <a href='/vip_club/'><img src='/catalog/web_images/vip_35x18.gif' width='35' height='18' alt='VIP Club Member' /></a><!-- VIP Club Member Icon --> <a href='/age_verify/index/'><img src='/common/img/icons/age_verified_35x18.gif' width='35' height='18' alt='18+ Age Verified'/></a> 's page


Joined: 06 Jul 2009
Posts: 8719
Location: Netherlands

PostPosted: Sat Sep 12, 2015 3:09 pm    Post subject: Reply with quote

Mod hat off

Just wow. . . I hope that the hacker gets caught for his/her actions.
_________________
Let’s find a light inside our universe now
Back to top
View user's profile Send private message  
Qwerty VIP Club Member 18+ Age Verified
Moderator
Qwerty <a href='/vip_club/'><img src='/catalog/web_images/vip_35x18.gif' width='35' height='18' alt='VIP Club Member' /></a><!-- VIP Club Member Icon --> <a href='/age_verify/index/'><img src='/common/img/icons/age_verified_35x18.gif' width='35' height='18' alt='18+ Age Verified'/></a> 's page


Joined: 13 Aug 2007
Posts: 14708
Location: Malta

PostPosted: Sat Sep 12, 2015 3:21 pm    Post subject: Reply with quote

So, as a user who made an account before 2008, was all the data on that database up to date? As in, it stored current information about my account, and not old data from 2008 when I did sign up? I ask because my password, email address and date of birth (it was wrong when I signed up and corrected about a year afterwards) has changed since 2008, so wondering which time of data the thief may have access to.

(Sorry if the answer is obvious, it's late here)

Although this is all terrible news, I am very pleased with how IMVU have handled it. Transparency is always good and I appreciate the steps IMVU have taken in dealing with the theft.
_________________
New Forums and Help Centre announcement
Back to top
View user's profile Send private message  
Varsha 18+ Age Verified

Varsha <a href='/age_verify/index/'><img src='/common/img/icons/age_verified_35x18.gif' width='35' height='18' alt='18+ Age Verified'/></a> 's page


Joined: 01 Feb 2010
Posts: 11465
Location: USA

PostPosted: Sat Sep 12, 2015 3:23 pm    Post subject: Reply with quote

Quote:
So, as a user who made an account before 2008, was all the data on that database up to date? As in, it stored current information about my account, and not old data from 2008 when I did sign up?


Correct. It is the current information associated with that account.
Back to top
View user's profile Send private message  
Qwerty VIP Club Member 18+ Age Verified
Moderator
Qwerty <a href='/vip_club/'><img src='/catalog/web_images/vip_35x18.gif' width='35' height='18' alt='VIP Club Member' /></a><!-- VIP Club Member Icon --> <a href='/age_verify/index/'><img src='/common/img/icons/age_verified_35x18.gif' width='35' height='18' alt='18+ Age Verified'/></a> 's page


Joined: 13 Aug 2007
Posts: 14708
Location: Malta

PostPosted: Sat Sep 12, 2015 3:26 pm    Post subject: Reply with quote

Varsha wrote:
Quote:
So, as a user who made an account before 2008, was all the data on that database up to date? As in, it stored current information about my account, and not old data from 2008 when I did sign up?


Correct. It is the current information associated with that account.


Okay, thank you, I thought so, but good to be certain.
_________________
New Forums and Help Centre announcement
Back to top
View user's profile Send private message  
Ambrosyia 18+ Age Verified

Ambrosyia <a href='/age_verify/index/'><img src='/common/img/icons/age_verified_35x18.gif' width='35' height='18' alt='18+ Age Verified'/></a> 's page


Joined: 25 Mar 2008
Posts: 1253
Location: USA - KY

PostPosted: Sat Sep 12, 2015 3:30 pm    Post subject: Reply with quote

So, when does IMVU plan to send out information to EACH account's inbox on this matter?

Not everyone reads forums and not everyone reads that blue ticker up there. So, IMVU wants to do what's right --- send out messages to inboxes and emails.
_________________
Back to top
View user's profile Send private message  
Madotsuki 18+ Age Verified

Madotsuki <a href='/age_verify/index/'><img src='/common/img/icons/age_verified_35x18.gif' width='35' height='18' alt='18+ Age Verified'/></a> 's page


Joined: 23 Nov 2009
Posts: 1979
Location: USA - NY

PostPosted: Sat Sep 12, 2015 3:32 pm    Post subject: Reply with quote

The amount of salt this hacker has, to follow through their plan just to get funds from IMVU, is painfully high. This hacker's a complete joke if they think IMVU will oblige to the demands.

I am sorry to those affected, but I'm pretty glad no ultra sensitive information were stolen. Still sucks, though.
_________________
My Catalog

The Joke
Back to top
View user's profile Send private message  
Varsha 18+ Age Verified

Varsha <a href='/age_verify/index/'><img src='/common/img/icons/age_verified_35x18.gif' width='35' height='18' alt='18+ Age Verified'/></a> 's page


Joined: 01 Feb 2010
Posts: 11465
Location: USA

PostPosted: Sat Sep 12, 2015 3:32 pm    Post subject: Reply with quote

Ambrosyia wrote:
So, when does IMVU plan to send out information to EACH account's inbox on this matter?

Not everyone reads forums and not everyone reads that blue ticker up there. So, IMVU wants to do what's right --- send out messages to inboxes and emails.


Quote:
Will I receive a notification if my account has been affected?

We will send a message to all active customers with accounts for which we believe the data was accessed.


Yes this is planned as per our original posts. This will happen in the next couple of days.
Back to top
View user's profile Send private message  
ChocolateCookie 18+ Age Verified

ChocolateCookie <a href='/age_verify/index/'><img src='/common/img/icons/age_verified_35x18.gif' width='35' height='18' alt='18+ Age Verified'/></a> 's page


Joined: 22 Apr 2009
Posts: 5521
Location: Estonia

PostPosted: Sat Sep 12, 2015 3:34 pm    Post subject: Reply with quote

Of geez, I feel more and more unsafe here every day!

There is one thing that still concerns me, and that is whether our help ticket information was accessed or not? Myself and many other people had to verify our account by sending an image of our ID to the customer service and it would be very, very messy if someone had access to that. This is not "earn money" program related at all.

_________________
PM me a dank meme and get a free gift!

Back to top
View user's profile Send private message  
Varsha 18+ Age Verified

Varsha <a href='/age_verify/index/'><img src='/common/img/icons/age_verified_35x18.gif' width='35' height='18' alt='18+ Age Verified'/></a> 's page


Joined: 01 Feb 2010
Posts: 11465
Location: USA

PostPosted: Sat Sep 12, 2015 3:36 pm    Post subject: Reply with quote

ChocolateCookie wrote:
Of geez, I feel more and more unsafe here every day!

There is one thing that still concerns me, and that is whether our help ticket information was accessed or not? Myself and many other people had to verify our account by sending an image of our ID to the customer service and it would be very, very messy if someone had access to that. This is not "earn money" program related at all.


We have listed the information that could have been accessed in the original post based on our investigation. Help center information is not listed in there.

Thank you
Back to top
View user's profile Send private message  
ChocolateCookie 18+ Age Verified

ChocolateCookie <a href='/age_verify/index/'><img src='/common/img/icons/age_verified_35x18.gif' width='35' height='18' alt='18+ Age Verified'/></a> 's page


Joined: 22 Apr 2009
Posts: 5521
Location: Estonia

PostPosted: Sat Sep 12, 2015 3:39 pm    Post subject: Reply with quote

Varsha wrote:
ChocolateCookie wrote:
Of geez, I feel more and more unsafe here every day!

There is one thing that still concerns me, and that is whether our help ticket information was accessed or not? Myself and many other people had to verify our account by sending an image of our ID to the customer service and it would be very, very messy if someone had access to that. This is not "earn money" program related at all.


We have listed the information that could have been accessed in the original post based on our investigation. Help center information is not listed in there.

Thank you


Thanks, it was just that it was not the other list either which is why I was concerned.
_________________
PM me a dank meme and get a free gift!

Back to top
View user's profile Send private message  
Ambrosyia 18+ Age Verified

Ambrosyia <a href='/age_verify/index/'><img src='/common/img/icons/age_verified_35x18.gif' width='35' height='18' alt='18+ Age Verified'/></a> 's page


Joined: 25 Mar 2008
Posts: 1253
Location: USA - KY

PostPosted: Sat Sep 12, 2015 3:44 pm    Post subject: Reply with quote

Does this mean that IMVU will consider better security? Google has the option of doing a two-step security (which they send a code to my cell) or as other sites have a slight extra security step?
_________________
Back to top
View user's profile Send private message  
AlexisTaz VIP Club Member

AlexisTaz <a href='/vip_club/'><img src='/catalog/web_images/vip_35x18.gif' width='35' height='18' alt='VIP Club Member' /></a><!-- VIP Club Member Icon -->'s page


Joined: 09 Jul 2011
Posts: 1978
Location: New Zealand

PostPosted: Sat Sep 12, 2015 3:49 pm    Post subject: Reply with quote

i hope you catch the hacker ...
also changing my PW thou it registered in 2011, i will feel much safer.
_________________
Back to top
View user's profile Send private message  
Varsha 18+ Age Verified

Varsha <a href='/age_verify/index/'><img src='/common/img/icons/age_verified_35x18.gif' width='35' height='18' alt='18+ Age Verified'/></a> 's page


Joined: 01 Feb 2010
Posts: 11465
Location: USA

PostPosted: Sat Sep 12, 2015 3:50 pm    Post subject: Reply with quote

Ambrosyia wrote:
Does this mean that IMVU will consider better security? Google has the option of doing a two-step security (which they send a code to my cell) or as other sites have a slight extra security step?


We will continue to evaluate our security systems already in place and plan accordingly.
Back to top
View user's profile Send private message  
Display posts from previous:   
Don't want to see these ads? Join the VIP Program!

Don't want to see these ads? Join the VIP Program!

Hide ads? Get VIP!
Post new topic   Reply to topic    IMVU Forum Index -> Older IMVU News, Announcements and Release Notes All times are GMT - 8 Hours
Goto page 1, 2, 3 ... 20, 21, 22  Next
Page 1 of 22

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum


 FAQFAQ   UsergroupsUsergroups   RegisterRegister  ProfileProfile   Log in for private messagesLog in for private messages 

Search the forums:


Powered by phpBB