Tag: Account Security

One of the things that we’re trying to do is making the Second Life financial transactions easier for creators and buyers.  We’re doing more and more things to streamline systems, to give real-time payments … The bad news is that when you start to do these really good things for folks, you become a target, and bad people try really hard to take over other people’s accounts.

– Linden Lab Executive Chairman, Brad Oberwager, May 22nd, 2025.

These words formed comments by Linden Lab Executive Chairman Brad Oberwager during a Zoom call to bloggers and operators of large in-world Groups held on May 22nd, 2025. The call was held ahead of an official blog post on the matter of account security in the face of growing attempts by bad actors to try to take over people’s Second Life accounts and which has coincided with efforts to make it easier for users to process credit (cash-out) from SL (see: Your Account, Your World: Keep It Safe, published on May 23rd, 2025).

Whilst the official blog post should be read in and of itself, in keeping with the Lab’s request:

• This article repeats the guidance given there, hopefully adding some additional context as provided / suggested during the Zoom call.
• Offers a very brief summary / insight of some of the additional steps Linden Lab is taking in order to try to reduce the risks of accounts being compromised / taken over, and people losing money, beyond those mentioned in he official blog post.

Basic Account Security

• Remember: your account name is public information. It is only your password that is protecting your account.
• Never give out your password to anyone in SL, no matter how well you think you know them, or how helpful they appear to be; confidence tricking is part and parcel of the phisher’s social engineering toolset.
• Do not use the same password across multiple accounts – including third-party sites you associate with your Second Life account (e.g. e-mail, Discord, etc.).
  • Phishers may not be “just” interested in your Second Life account; they many potentially have as much interest in where the account might lead – your e-mail contacts, other accounts you use, etc., – as they are in taking your L$.
• Use a strong, unique password – at least 12 characters long, mixing upper and lower case, numbers and symbols.
• Consider using a passphrase rather than a password: these can be harder to glean or guess.
• Use LL’s Multi-Factor Authentication (MFA): yes, it’s not as perfect as it could be, and not everyone can use it. But if you can, please enable it. The added security far outweighs inconvenience of finding your account has been compromised and you are locked out of SL as a result while LL investigate.

Links and Downloads

• Don’t click on links appearing in group chats, IMs, local chat, third-party sites used in association with SL (e.g. Discord, Flickr or similar) or which arrive unsolicited, and/or which offer you the chance to download a viewer, or go to a website for “special deals”, etc.
  • Similarly, be wary of ill-defined links within avatar profiles and check those that provide a URL (e.g. does a link apparently for the Marketplace actually give the correct URL, or does it have odd letters – “mmarketplace” instead of “marketplace”, for example).
  • Do not enter your account details on any website a link has directed you to, no matter how “official” looking. Remember, SL uses single sign-on, so you should not be asked for credentials if already logged-on.
• Only download viewers from either the SL official viewer download page (e.g. by clicking the option on the right of your Account Dashboard), or by navigating yourself to the viewer’s website using the links within the Third-Party Viewer Directory. Never download a viewer via any other link (no matter how apparently trustworthy the source of the link).

Money

• Never try to obtain Linden anywhere other than the LindeX or through the Buy L$ button in the viewer.
• Don’t fall for offers of “discount” L$ purchased via external services such as Venmo or PayPal; these are scam activities and can result in you both losing money and access to your SL account.

Staying Alert and Taking Action

Staying Alert:

• All of the above can happen at any time, so treat all offers of L$, unsolicited download suggestions / links, “promotional” offers for L$, etc., as suspicious, no matter who / where they come from.
• Friends and acquaintances can have their account compromised just like anyone else – so just because you “know” the account sending you a link / offering to log-in to your account to “help” you with something, doesn’t what is being sent / suggested is safe.
• As the old truism goes: if something sounds too good to be true (and involves anything to do with account access, money, etc.) – it probably is.

If your account is comprised:

• Change your password, if you can still access your account, and if you have not done so (and can), enable MFA.
• Report the situation to Linden Lab.
• Accept the fact that the safest way to secure your information is for the Lab to lock your account for a time, and you may have to provide proof of identity before you regain control of it.
• Do not revert any password set for your account by LL back to a previously used password. Remember, any previously-compromised password remains compromised even after your account has been reset.

I’ll give you an example of how trusting people are: someone gets their account taken over. We stop their account. They come back. We verify it’s them. We change their password to something complicated – because their password was “Potato1”. What do they do? The next day, they change it back to “Potato1”. And then they get their account taken over again.

– Linden Lab Executive Chairman, Brad Oberwager, May 22nd, 2025

What the Lab Is and Will be Doing

Linden Lab has been moving to address problems of account take-overs in a number of ways, some of which will are already in place or will be coming into use soon, as per the official blog post. In addition, further changes to help protect accounts are either in active development or are being considered. These include the following.

Additional Protections  / Requirements When Processing Credit (Cashing Out)

• Enforced MFA when processing credit (cashing-out) from Second Life. If you are a creator or similar, wanting to convert L$ to fiat currency and take it out of Second Life as real-time payments, you will be required to use MFA.
  • The same may be required for those buying “large sums” of L$.
• Re-introducing delays in processing credit if:
  • The cashing-out account has seen a password change ahead of the process credit request.
  • The external receiving account has been changed or the pay-out method updated.
  • There has been an IP address change for the account logging-in (not clear on how dynamic IPs will be handed with this).
• Investigating specific options for account safety and verification where cashing-out very large sums are concerned (the example was in terms of tens of thousands of dollars).

MFA and Secure Log-in Enhancements

Linden Lab is additionally looking to:

• Enhancing the multi-factor authentication (MFA) toolset to make it easier for more people to use.
• Possibly adding passkey support to MFA.
• Implementing log-in from trusted services (e.g. Google).

However, it was noted that some of this work will take time to complete.

Additional Improvements

These are options LL is either engaged in implementing, or considering (note: this list is not exhaustive in terms of the Zoom discussion, but reflects those things indicated as being pursued / investigated):

• URL Links in Group chats, IMs, etc.:
  • Currently being scoped for inclusion in the viewer: adding a pop-up warning highlighting the risks when a user clicks on a link in an IM, Group chat, etc. This is being done in preference to disabling all such links, as it has been recognised there are legitimate use-cases for providing URL links.
  • Under investigation: providing the means for Group owners (/officers?) to be able to remove links from their Group chats.
• Log-in warning: possibly add a log-in warning to remind people not to give their passwords out, share their account etc., with a required action to remove it. However, this is not currently viewed as optimal, due to the level of irritation / upset it would cause.
• Updating interactions with Tilia to ensure greater account security. More to come on this from the Lab / in this blog in the near future.

Conclusion

Account take-over is a real threat within Second Life. While LL is attempting to minimise the risk of user accounts being compromised and money being taken, we all have a responsibility to ensure we keep our credentials as secure as possible, and that we all take a common sense approach to minimising the risks of having our accounts compromised. As such, if you are not already doing so, please do take the recommendations in the first part of this article – and in the Lab’s own blog post – seriously, and act on them.

Related Links

• Your Account, Your World: Keep It Safe – Linden Lab 
• Second Life Multi-Factor Authentication: the what and how – this blog
• Protecting Your Account: Recognizing and Avoiding Phishing Attempts – Firestorm viewer