Data Breach on Burn2 Website
Notice
NOTICE OF DATA BREACH AT BURN2.ORG
What Happened?
For some unknown period of time, before September 29th 2024 a common file directory/folder associated with WordPress on the Burn2.org web server was discovered to have been set to public access allowing anyone worldwide to see and download the data within it. Most of this data was benign and common data readily available through basic use of the Burn2 website. However some of the data in the folder contained responses from past Burn2 Volunteer and Performer signups from events dating back to 2019 or earlier.
At this point it’s important to stress: DO NOT PANIC.
What Information Was Involved?
In the case of the Burn2 Data Breach, the Investigation revealed that the signup form data affected mostly consisted of Second Life® usernames paired with email addresses and scheduled times of shifts. This data does not necessarily constitute private data under many security laws. However as Second Life (SL) password recovery does ask for SL user name, and associated email it is possible this exposed data could be used to request password resets on the accounts of associated users. Unless the user's email accounts are also compromised through other means this is unlikely to result in more than an annoyance.
What Has Burn2 done once aware of the problem?
On September 29th 2024 the common directory in question was made inaccessible to the public. Further review continues at this time to ensure the data remains secured.
What You Can Do.
Increased vigilance over the access of your Second Life account and associated email for a couple months is recommended.
Use extreme caution in responding to anyone claiming to be from Burn2 or Linden Lab® who messages you in Second Life or emails you asking for SL account or other private information. Usually those from both groups should already have what information they need about you.
Take note if there are any Second Life password reset requests that show up in your associated email that you did not initiate. You should not respond or initiate the reset process if any are seen that you did not initiate. However do not consider or mark these automatically as spam, especially if they appear to be originating from Second Life or Linden Lab.
It is highly recommended you turn on multi-factor authentication if you have not done so already to better protect your Second Life account: https://accounts.secondlife.com/mfa/status?
For extra security, if you have not done so already, it is recommended to set up a separate, valid email address for forms and correspondence with Burn2; don't use the same email address you use for your Second Life account.
Other Important Information.
If you want to request your data submitted for events be removed once they have concluded you can now request so using the contact form.
For further questions you can reach Burn2 via the contact form: https://www.burn2.org/contact-us/.