Important information about your High Fidelity account


#1

26.JAN.2017
Recently, we determined that a High Fidelity staff email account was compromised. Based on an audit of our logs, it appears that the account was accessed by an unauthorized user in late December and again in early January.

I’m contacting you today because this compromise may have exposed your email address and High Fidelity account username.

Your password was not decodable from this information, and no payment or credit card information or history was accessed.

We internally use a 3rd party analytics package. The compromised email account had access to this tool. The tool integrates with a copy of a database to allow us to track total hours of use, crash rates, and so on for users that opt to share that information. Due to an oversight, the copy of the data that we use for analytics also included these emails and High Fidelity account names. We were able to confirm that the compromised account was able to access this user information through the analytics package.

This information also included salted and hashed passwords. Salting and hashing creates an unreadable string based on your password. Salted and hashed passwords cannot be used to access your High Fidelity account, and we have had no reports of High Fidelity accounts being accessed without authorization.

However, it is the case that we have failed to hold in trust personal information you gave us when you signed up for High Fidelity. I want to personally apologize for this failure.

In terms of what happens next:
We are currently reviewing the security of all of our systems and adding additional security such as two-factor authentication to all our internal email accounts.
As a precautionary measure, you might consider reviewing your email activity and particularly any emails you have received from High Fidelity. Please notify us if you see anything suspicious.
We very much hope you will continue using High Fidelity. However, if you wish to have your account deleted, please email requests@highfidelity.io using the email address registered to the High Fidelity account you wish to delete to initiate this process.
Please feel free to contact us at support@highfidelity.io with other questions about this matter.
Looking forward, this is an opportunity to touch on how important we think identity and the security of your identity will be in virtual worlds. In our alpha and beta stages we have taken the approach of storing user information in a traditional database. But, as this breach demonstrates, this is not a perfect solution, no matter how carefully designed and managed. It is our belief that as High Fidelity becomes widely used as a platform, we must design and implement identity systems which are decentralized, under the control of you (not us), and ideally impossible to breach through any single point of attack.

See you in-world,

Philip Rosedale
CEO, High Fidelity

This is a good reason to not have your money tied to your account.


Hacked? Email from Highfildelty?
#2

I knew i shouldnt have given that 22 million dollars to that guy “claiming to be developing the future of VR”

like Bush said “There’s an old saying in Tennessee—I know it’s in Texas, probably in Tennessee—that says, fool me once, shame on, shame on you. Fool me—you can’t get fooled again.”


#3

I think it’s funny they say they want everything decentralized but it is obvious they want a centralized “hifi coin” in a wallet attached to your account. I will eat my hat if they decide to implement actual cryptocurrency with opensource code (that isn’t a ICO money grab). I am 99% sure they won’t though. Look at all the free money they can gain from releasing their own cryptocoin, especially if it is centralized. If they make it so they can print unlimited amounts of it it is no longer a cryptocoin though it’s just Lindens all over again.


#4

Its good they admitted the mistake.
Im sure it will produce heated discussion but I hope when we come out Beta hifi will have some rock solid security in place. I would hate to loose either of the coins I have to rub together.


#5

They are legally obligated to report data breaches under California law. They didn’t do it to be nice.


#6

Sure but they coulda passed it of as’ alternative facts’ as is popular these days


#7

#8

thx for posting, @Cracker.Hax. I was just about to do so. Feel free to ask any other questions here, and I can endeavor to answer.

It is possible that a blockchain solution for identity makes sense, in addition to currency, as you note above. This is something we are looking at the feasibility of doing.


#9

What about third party currency solutions, are you going to support those or try to keep a monopoly on it?


#10

Well, better a breach now than later when HiFi is going public.
Only thing that makes me curious a bit is that the analytics package also included email, username and password. That’s a bit of a huge oversight.


#11

Maybe this is part of the stress test?


#12

Must be one with NDA. the only told us about a server stress test.
Not about a user stress test. :hushed:


#13

Maybe true on obligation, but it was informative & helpful in a non-legalese type way, very appreciated to see :clap:


#14

---------- Original Message ----------
From: Philip Rosedale support@highfidelity.io
To:
Date: January 26, 2017 at 4:23 PM
Subject: Important information about your High Fidelity account

High Fidelity: Important Notification

View this email in your browser

.JAN.2017

Recently, we determined that a High Fidelity staff email account was compromised. Based on an audit of our logs, it appears that the account was accessed by an unauthorized user in late December and again in early January.

I’m contacting you today because this compromise may have exposed your email address and High Fidelity account username.

Your password was not decodable from this information, and no payment or credit card information or history was accessed.

We internally use a 3rd party analytics package. The compromised email account had access to this tool. The tool integrates with a copy of a database to allow us to track total hours of use, crash rates, and so on for users that opt to share that information. Due to an oversight, the copy of the data that we use for analytics also included these emails and High Fidelity account names. We were able to confirm that the compromised account was able to access this user information through the analytics package.

This information also included salted and hashed passwords. Salting and hashing creates an unreadable string based on your password. Salted and hashed passwords cannot be used to access your High Fidelity account, and we have had no reports of High Fidelity accounts being accessed without authorization.

However, it is the case that we have failed to hold in trust personal information you gave us when you signed up for High Fidelity. I want to personally apologize for this failure.

In terms of what happens next:•We are currently reviewing the security of all of our systems and adding additional security such as two-factor authentication to all our internal email accounts.
•As a precautionary measure, you might consider reviewing your email activity and particularly any emails you have received from High Fidelity. Please notify us if you see anything suspicious.
•We very much hope you will continue using High Fidelity. However, if you wish to have your account deleted, please email requests@highfidelity.io using the email address registered to the High Fidelity account you wish to delete to initiate this process.
•Please feel free to contact us at support@highfidelity.io with other questions about this matter.
Looking forward, this is an opportunity to touch on how important we think identity and the security of your identity will be in virtual worlds. In our alpha and beta stages we have taken the approach of storing user information in a traditional database. But, as this breach demonstrates, this is not a perfect solution, no matter how carefully designed and managed. It is our belief that as High Fidelity becomes widely used as a platform, we must design and implement identity systems which are decentralized, under the control of you (not us), and ideally impossible to breach through any single point of attack.

See you in-world,

Philip Rosedale
CEO, High Fidelity

High Fidelity | highfidelity.com

You are receiving this email because you signed up for a High Fidelity Account.

Our mailing address is:

High Fidelity

1065 Folsom Street
San Francisco, CA 94103
Add us to your address book

Want to change how you receive these emails?
You can update your preferences or unsubscribe from this l

I received this email today and would like to know its legitimacy. Anyone else get this?


#15

We all got it.
See: https://forums.highfidelity.com/t/important-information-about-your-high-fidelity-account


#16

Hmm, that’s very strange. I haven’t gotten this email, nor any additional emails for awhile. I’ve checked spam, but thankfully this matter isn’t a big deal to me and I got the update during the meeting today.

I’ll have to poke support and see if there is an issue with my email address.


#17

@FlameSoulis, just checked, and our records show we did send this email to the email account registered to your High Fidelity account. It’s not marked as having bounced.


#18

Ah! Here we go, I found out why: I have 2 primaries and got confused when I found billing in one and assumed that one to be the one where Hifi’s email notifications were going. I found the email on the correct address and it did indeed arrive properly. Thanks for the quick response.