Recently, we determined that a High Fidelity staff email account was compromised. Based on an audit of our logs, it appears that the account was accessed by an unauthorized user in late December and again in early January.
I’m contacting you today because this compromise may have exposed your email address and High Fidelity account username.
Your password was not decodable from this information, and no payment or credit card information or history was accessed.
We internally use a 3rd party analytics package. The compromised email account had access to this tool. The tool integrates with a copy of a database to allow us to track total hours of use, crash rates, and so on for users that opt to share that information. Due to an oversight, the copy of the data that we use for analytics also included these emails and High Fidelity account names. We were able to confirm that the compromised account was able to access this user information through the analytics package.
This information also included salted and hashed passwords. Salting and hashing creates an unreadable string based on your password. Salted and hashed passwords cannot be used to access your High Fidelity account, and we have had no reports of High Fidelity accounts being accessed without authorization.
However, it is the case that we have failed to hold in trust personal information you gave us when you signed up for High Fidelity. I want to personally apologize for this failure.
In terms of what happens next:
We are currently reviewing the security of all of our systems and adding additional security such as two-factor authentication to all our internal email accounts.
As a precautionary measure, you might consider reviewing your email activity and particularly any emails you have received from High Fidelity. Please notify us if you see anything suspicious.
We very much hope you will continue using High Fidelity. However, if you wish to have your account deleted, please email email@example.com using the email address registered to the High Fidelity account you wish to delete to initiate this process.
Please feel free to contact us at firstname.lastname@example.org with other questions about this matter.
Looking forward, this is an opportunity to touch on how important we think identity and the security of your identity will be in virtual worlds. In our alpha and beta stages we have taken the approach of storing user information in a traditional database. But, as this breach demonstrates, this is not a perfect solution, no matter how carefully designed and managed. It is our belief that as High Fidelity becomes widely used as a platform, we must design and implement identity systems which are decentralized, under the control of you (not us), and ideally impossible to breach through any single point of attack.
See you in-world,
CEO, High Fidelity
This is a good reason to not have your money tied to your account.