The new home for the IMVU Community is For more information, check out this article.

Data Breach and What You Need to Know

Post new topic   This topic is locked: you cannot edit posts or make replies.    IMVU Forum Index -> Older IMVU News, Announcements and Release Notes
View previous topic :: View next topic  
Author Message
Brett VIP Club Member

Brett <a href='/vip_club/'><img src='/catalog/web_images/vip_35x18.gif' width='35' height='18' alt='VIP Club Member' /></a><!-- VIP Club Member Icon -->'s page

Joined: 18 Aug 2004
Posts: 189
Location: USA

PostPosted: Sat Sep 12, 2015 2:37 pm    Post subject: Data Breach and What You Need to Know Reply with quote

Data Breach and What You Need to Know

Two days ago a malicious hacker accessed some data on our service and I want to ensure our company keeps our customers informed about the situation and what we are doing to address it.

I’ll start by eliminating the big scary issue you read about with almost all data breaches… no payment information (e.g. credit card numbers), tax identification or other data usually associated with financial risk or identity theft was accessed as part of this breach. Additionally, IMVU credit balances, and product purchases are not impacted.

We’re Sharing Because We Value and Respect Our Customers

Before I get into the details of the breach, I think it is important to state the reasons driving our decision to be transparent and communicate quickly:

* First and foremost, we think it is the right thing to do. It is best for our customers and empowers them with all information necessary to ensure their accounts are protected. We are treating our customers the way we want to be treated.
* Customer privacy is of utmost priority for us and that requires acknowledging when we fall short and become the victim of a hack. No security system is perfect but we can keep trying.
* We do not encourage or reward criminal behavior and will not cooperate with bad actors who try to use extortion to benefit from actions that are harmful to our community or society in general.

Details of the Breach

On September 9 a malicious hacker gained access to a server on the cluster of computers that provide the IMVU service to customers. We were alerted by various security systems we have in place and took action to block activities from the hacker. However, the hacker was able to obtain access to a partial copy of one database table and some customers could have had their information accessed. We have not found indications of any further breach of access to customer data. Subsequently we received an extortion threat from the malicious hacker, asking for financial compensation in exchange for not using the data and not exposing the breach to the media or other sites.

The database accessed contains basic account info, and the partial copy of the database contains the oldest records, which is for customers that registered their account in 2008 or earlier. Here are the relevant details of what is stored in the basic account database and which we believe the hackers may have accessed:

* Identifiers used in our products: avatar name and unique id
* Password hash: this is the result of encrypting a password with a cryptographic hash function. It is important to clarify that this encryption is one-way, so a password can’t be extracted from the hash. For a deeper understanding of password hashes and risk, see this post
* Email: this is the email address associated with the account
* Non-verified customer information: birthday, first name and last name (if provided at registration)
* Various status fields, preferences and flags, details of which are in this post

Since hackers intend to have their activities go undetected, it is hard to know with complete certainty, but we looked hard and have not found evidence of any further access to user account data beyond this breach.

Our Company’s Next Steps

While the feedback from law enforcement and other security agencies has told us that the data accessed is insignificant in terms of risk, we are treating this very seriously. We will not share details of how we are mitigating the impact of the breach, but every single employee has been involved in some part of the mitigation and we quickly assembled a very large, cross-disciplined project team dedicated to the situation. We are also working with the FBI and security companies, experts in handling such issues. We will be messaging the accounts we believe are affected by the breach and directing them to this Forum post. Following our initial mitigation, we will have a security audit performed by an independent third party. Finally, if we become aware of additional information that is relevant to our customers, we will share that information.

Experiencing this breach has been a tough challenge for all of our employees… we want to treat our customer information the way we want our information to be treated by other companies. It is worth noting that many employees and company founders have accounts that are in the date range we believe was accessed (I am one of those employees). And while massive data breaches against huge companies have become an almost weekly occurrence, we will continue to set our expectations higher.

Precautions You Can Take to Reduce Risk

We always recommend that IMVU customers set their password to something that is strong (upper case + lower case + symbol) and unique (not used for any other service).

As a precaution, we recommend that all IMVU customers that registered in 2008 or earlier change their password immediately. And, if your IMVU password was the same password you used for another service, you should change the password on that service without delay. It is not a bad idea for other customers to reset their passwords as well.

The other data accessed can associate an email address to an avatar name and reveal some features of the account that are normally not visible to others. We understand this information is important for our customers, which is why we are letting you know it was accessed.

Because of the age of the data accessed, the lack of financial information and some other factors, external experts suggested that data as a whole is not valuable to a hacker for exploiting additional financial gain or identity theft. We generally don’t require detailed or private information about our customers and that has helped minimize the value and impact of this malicious exploit.

As we state often, IMVU staff will never ask for your passwords, so if you get any emails/messages purporting to be from IMVU, please ignore them and keep your account safe.

Posts like this are really hard to write. We value our customers and must continue to earn their trust, as well as the privilege of having them as our customers. I believe the best way to do this is through transparency, respect and commitment to doing the right thing.
Back to top
View user's profile Send private message  
Varsha 18+ Age Verified

Varsha <a href='/age_verify/index/'><img src='/common/img/icons/age_verified_35x18.gif' width='35' height='18' alt='18+ Age Verified'/></a> 's page

Joined: 01 Feb 2010
Posts: 11465
Location: USA

PostPosted: Sat Sep 12, 2015 2:49 pm    Post subject: Reply with quote

Additional details and FAQs are available in this post. You may also discuss the topic in that thread.

Thank you
Back to top
View user's profile Send private message  
Display posts from previous:   
Don't want to see these ads? Join the VIP Program!

Hide ads? Get VIP!
Post new topic   This topic is locked: you cannot edit posts or make replies.    IMVU Forum Index -> Older IMVU News, Announcements and Release Notes All times are GMT - 8 Hours
Page 1 of 1

Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum

 FAQFAQ   UsergroupsUsergroups   RegisterRegister  ProfileProfile   Log in for private messagesLog in for private messages 

Search the forums:

Powered by phpBB