No, the corresponding email address was still working fine and not comprimized.

I believe what you say about corresponding IP address and the timestamped UUID (didn’t know it worked that way, thx!) making this more safe, but still… if there were no problems whatsoever, then why did LL just did not put the JIRA issue as solved, in stead of ‘hide it’. Why did nobody ever reply, and why - this has nothing to do with the security issue, but all the more with Linden Lab policy - after TWO MONTHS, pingping zhaoying’s account is STILL NOT REINSTATED? And now - after filing another ticket, he got a phone number that’s not reachable from belgium. Hmmm…

(sorry for the caps, I really can’t understand how they can treath their residents that way.)

As the IP system is foolproof: why do I then never got the four questions page, even when trying from the PC I use daily for SL and with my own account name? (IP is fixed until reboot of the PC, I think, maybe even longer.)

Here’s a breakdown of it:
User clicks ‘Forgot password’
User enters SL name
An email is sent to the registered email address with a URL in it.
User clicks ‘Email no longer valid’
At this point, the process splits based on a condition.

If that user has ever successfully logged into secondlife.com or into SL from the current machine’s IP address using the reported name, they go to the aforementioned ‘4 question’ screen.
If the user has never logged in under that name, they go to a screen with a phone number on it.

The email link sends the user to the ‘4 question’ screen. These questions are very easy to answer, but it is assuming that your email address is secure.
Fabricating one of these numbers would be rather difficult. It is a timestamped UUID, so the person would have to know the millisecond that SL.com generated the UUID as well as guess at a ridiculously large random number.

I’m not saying this system is ‘perfect’, just putting out my two cents on it. I don’t really believe that it’s as big a problem as made out to be here.
Is it perhaps possible that the account in question had its corresponding email address hijacked?

Nock said: Seems the fix has going on now. Some people got “Call Us” dialog after clicking “Email no longer active?”. Correction should be done in soon.

Luckily I don’t have a home (build) in SL (hehe), just XXXXXXXXX.

I suggest they give the options only after email verification, and that the “Email no longer active?” option should be phone ONLY.

I’m gonna suggest it on JIRA.

Glad to hear that you will be back!

I have issued a refund of the charges that were fraudulently placed on your account. We’ll have the account returned to you, asap. We are responding to attacks like this as quickly as possible. Sorry for the trouble.

JP
ontvangen vandaag zaterdag 30-07 9 dagen na neerleggen klacht en enige reactie (dit is violledige mail)