Linden Lab, the San Francisco company behind Second Life, says the database breach potentially exposed data including the unencrypted names and addresses, and the encrypted passwords and encrypted payment information of all 650,000 Second Life players.
The company says unencrypted credit card information, which is stored on a separate database, was not compromised.
The breach was discovered on 6 September and in an e-mail sent on 8 September Linden Lab informed all Second Life members about the problem and told them to request a new password.
"We're taking a very conservative approach and assuming passwords were compromised and therefore we're requiring users to change their Second Life passwords immediately," says Cory Ondrejka, CTO of Linden Lab. "While we realise this is an inconvenience for residents, we believe it's the safest course of action."
The company says it launched a detailed investigation following the breach that revealed an intruder was able to access the Second Life databases utilising a "0-Day Exploit" through third-party software residing on Second Life servers. Due to the nature of the attack, Linden Lab says it cannot determine waht information was exposed. The company's technical investigation is ongoing.