Over abundance of 'account security' emails
tracked
Gloss Doll
I've tried filing this as a 'support case', but Freckle Linden (who?) closed my ticket and told me to bring this issue here.
- Thank you for submitting your case. After investigation, it appears as though this issue may be a bug or error which would be best handled through our bug report system known as JIRA (http://jira.secondlife.com). While our Support team is always happy to help, there are certain technical issues which can only be addressed via a development or engineering investigation.
Something strange is happening with the 'account security' emails. I have several alt accounts, and I am seeing a large number of emails saying I've logged in to a new machine. Far more often than I am used to, and far more than seems reasonable. This increase in frequency seems to have started around October 17, 2025. I will focus on just two accounts for the purpose of this report, and I will so you can see the issue clearly.
Oct 17
- Of the accounts I logged in on October 17, I received 6 emails (one per user) stating that <account A> or <account B> accessed Second Life from a new machine. <my IP>Oct 19
- Important: <account A> accessed Second Life from a new machine. <my IP>Oct 20
- Important: <account B> accessed Second Life from a new machine. <my IP>Oct 22
- Important: <account B> accessed Second Life from a new machine. <my IP>Nov 4
- Important: <account A> accessed Second Life from a new machine. <my IP>Nov 6
- Important: <account A> accessed Second Life from a new machine. <my IP>Nov 20
- Important: <account A> accessed Second Life from a new machine. <my IP>Nov 23
- Important: <account A> accessed Second Life from a new machine. <my IP>Dec 1
- Important: <account A> accessed Second Life from a new machine. <my IP>Dec 1
- Important: <account B> accessed Second Life from a new machine. <my IP>Dec 5
- Important: <account A> accessed Second Life from a new machine. <my IP>Dec 9
- Important: <account A> accessed Second Life from a new machine. <my IP>Dec 16
- Important: <account A> accessed Second Life from a new machine. <my IP>Dec 17
- Important: <account B> accessed Second Life from a new machine. <my IP>Dec 20
- Important: <account A> accessed Second Life from a new machine. <my IP>Dec 20
- Important: <account B> accessed Second Life from a new machine. <my IP>Dec 26
- Important: <account A> accessed Second Life from a new machine. <my IP>Dec 28
- Important: <account A> accessed Second Life from a new machine. <my IP>Dec 28
- Important: <account B> accessed Second Life from a new machine. <my IP>Dec 29
- Important: <account A> accessed Second Life from a new machine. <my IP>Dec 29
- Important: <account B> accessed Second Life from a new machine. <my IP>Now here's the thing. Aside from a couple of attempts to use the mobile viewer, I have been consistently using my desktop computer. This computer hasn't changed. My IP Address (both on our home LAN, and the household IP) hasn't changed! My MAC hasn't changed. My OS hasn't changed. I haven't done any major computer rebuilds or OS reinstalls that would result in notable hardware or software changes. I also haven't logged these accounts in with any other computers. I feel it's important to note that I didn't attempt to log <account B> into SL every single day. <account A> is my 'daily driver' account.
These emails are coming in
FAR
too frequently to be explained by those brief mobile app attempts. The app has not been launched in days, and the device it is installed on, has been powered off and rebooted in the time since.To confuse things more, someone else, in the same household (on the same external IP!) has been logging in from a different computer, and has received NONE of these alert messages.. it's JUST ME and my accounts!
I've enabled Multi-factor authentication on both accounts, I've checked my transaction history, both https://accounts.secondlife.com/transaction_history and https://secondlife.com/my/lindex/history.php and I have seen no transactions that would indicate someone is using my accounts without my permission.
I only see these notification emails after I log in to my own accounts.. I've never seen them appear any other time.. and no one to my knowledge has access to my email.
I do not believe
that this is an unauthorized account access issue.These messages are important.. it's important for me to know if my account is logged in without my consent. I value these messages. But at this point, the system is crying wolf.. and it's getting to the point where I've considered making an email filter to automatically delete them before I see them.. because they are only creating false scares and annoying me.
Something's wrong with the system here.. whether it's on your end or mine, I can't tell. What I do know is that these emails aren't useful in their current form.. and they should be! They need to be!
Log In
Maestro Linden
marked this post as
tracked
Imported to https://github.com/secondlife/viewer/issues/5281 - I was able to reproduce the issue myself by manually creating a new filesystem reference in /dev/disk/by-uuid/
Maestro Linden
Hi Gloss Doll, I looked into your recent login history, and believe that the frequent 'account security' emails are being triggered by the viewer reporting a variety of 'volume serial' values on different login sessions. 'volume serial' doesn't change _each_ of your login sessions, but it does appear to change more than once a day for you.
'volume serial' is meant to be a secondary hardware identifier, tied to filesystem information. Here's how it's computed on linux with the SL viewer (apparently Firestorm uses the same algorithm):
Basically, 'volume serial' is calculated as a hash of the longest ID seen in
/dev/disk/by-uuid/
. If multiple IDs have the same length, then one is picked alphabetically. So 'volume serial' would potentially change if disks were added or removed from the system to update the list shown in /dev/disk/by-uuid/
.I'm not able to reproduce this on my own linux machine (running Arch), but it's easy to imagine how the the state of
/dev/disk/by-uuid/
could change in a way that impacts the calculated 'volume serial', including things like adding or removing disks (USB drives? some sort of virtual drive?).It would be helpful to know if and how the output of
/dev/disk/by-uuid/
is changing on Linux machines that are hitting this issue. Could some of you try polling the output of that directory and look for changes? From there, we might be able to figure out a way to improve the 'volume serial' algorithm to give more consistent results on a given machine. # Look at the file list:
$ ls /dev/disk/by-uuid/
89b104c0-9df4-4b6e-bedc-8b2c52747b23
...
# Get a hash of the full filesystem list:
$ ls /dev/disk/by-uuid/ | md5sum -
b1172ed690b3d0465e878b219e1f890d -
Vala Vella
Maestro Linden here's the output for my system between two reboots:
qetesh@qeteshpc:~$ ls /dev/disk/by-uuid/
17282b9b-491a-401e-a5ed-720ff70d212c e6956258-8869-47d8-88e1-2520dd381db9
62bf1af3-295c-4ff4-9140-fae86f770517 F819-8691
qetesh@qeteshpc:~$ ls /dev/disk/by-uuid/ | md5sum -
44db8cc78f65a79f9d9950a02cc44b02 -
qetesh@qeteshpc:~$ ls /dev/disk/by-uuid/
17282b9b-491a-401e-a5ed-720ff70d212c c3fd791b-0b3b-4a86-857f-45a67e1d0290
62bf1af3-295c-4ff4-9140-fae86f770517 F819-8691
qetesh@qeteshpc:~$ ls /dev/disk/by-uuid/ | md5sum -
4e2c74df87c3bd30c5f1c7cee8e77cb8 -
The changing one points to /dev/zram0
Maestro Linden
Vala Vella: Awesome, thanks. From my understanding of the 'volume serial' algorithm, it would definitely be taking a hash of
e6956258-8869-47d8-88e1-2520dd381db9
in your first boot and then c3fd791b-0b3b-4a86-857f-45a67e1d0290
in the 2nd boot, since those UUIDs are among the longest and also happen to proceed the other filesystem UUIDs alphabetically. I'm not surprised that a zram filesystem would dynamically change like that on each boot. On Windows, the viewer primarily calculates 'volume serial' based on the C: drive's volume identifier, which wouldn't change much under normal use. I think that for a linux system, using the UUID of whatever filesystem is mounted to
/
would be equivalent (and also fairly static).Vala Vella
Maestro Linden Sounds about right, though for example on bazzite / does not point to a disk since it is a read-only system so this might also not be a perfect solution.
Maestro Linden
Vala Vella: interesting, I would think that the / path would have to be on _some_ filesystem, but I suppose an immutable Linux distro could have some sort of hardcoded filesystem with a fixed uuid for all users. Perhaps the filesystem that the viewer executable lives in would be more appropriate?
As an aside, I was curious about resolving filesystem uuid based on path; looks like you can do something like this to get that info (adapted from https://stackoverflow.com/questions/28110013/how-to-get-uuid-of-filesystem-given-a-path ):
$ blkid -o value $(df --output=source /home |tail -1 ) | head -1
89b104c0-9df4-4b6e-bedc-8b2c52747b23
Beatrice Voxel
Maestro Linden Oh wow. This is a good find. You're probably right that Windows wouldn't see this, since it's not a likely occurrence that drive identifiers would change all that often unless the viewer was installed on an external drive. Since the viewers don't have a self-contained mode (they all have registry keys that have to be applied under Windows) it's not likely that such an install would be commonly used. Rather than C:, I'd recommend %userprofile% since this always expands to [drive]:/users/[username]/ regardless of how the system is set up AND won't corrupt one user's SL cache data with someone else's on the same machine.
For a Linux distro, I would think the equivalent "static" (yet mutable) volume ID might be something under /usr/%loginID%/ which once established SHOULD stay constant for each person using the system. The base / path, while always mounted, would be a bit too central to the OS to be of any use as a user document/file space anyhow.
As for why I'm advocating the machine ID be linked to users and not just machines, it extends the "someone is logging into your account" beyond a different machine, but as someone else on a shared machine. If it's keyed to the root / folder (C:/ on Windows) then regardless of who uses the program on that box, once that ID is set, there will be no flag if someone else steals creds and sits down at that same box (family member, housemate, whatever). But linking to user folders makes sure that IF an account is accessed by a different person, regardless of which computing device they use to do so, there will be an alert generated and an email sent to the account owner.
Vala Vella
Maestro Linden on bazzite blkid correctly shows the uuid - just the filter doesnt work correct here since the uuid is in second place in the output. on first place there's the volume label. but in general using the uuid for the home folder would work here!
Dan Linden
marked this post as
needs info
Dan Linden
Hi Gloss.
Is your MAC address changing each session? If so, this is expected behavior.
Gloss Doll
Dan Linden No. Our home network uses DHCP and fixed address assignments. There are other SL users in the house hold with identical setups and they aren't getting alerts.
This has been detailed in the above mentioned support ticket #2449808
I originally reported this issue via a support ticket, but was asked by Freckle Linden to create this feedback post for some reason. However, personally identifiable information does not seem appropriate to post on a publicly accessible Canny. That information, and other machine identifier and technical network information has been added to the support ticket.
Lettie Linden
Gloss Doll do you have the same issues with the official SL viewer?
Gloss Doll
Lettie Linden - I'm using Arch Linux. Linden Lab does not ship a viewer for Linux.
I am using Firestorm-Betax64 7.2.3.80000
And before you ask, no these 'you have accessed second life from a new machine' emails do not coincide with beta version updates. I've definitely seen multiple versions of these emails rolling in, when I've changed nothing on my machine.
It's happening to another user I know, on Bazzite.
Vala Vella
I have the exact same problem since I switched from Windows to Linux a few weeks ago. Every single time I log in I get a mail from lindenlab informing me that "Your Second Life account has been accessed from a new machine"
I switched from Windows 11 to Bazzite Linux and I am quite sure that was the moment it started. I deleted my windows installation to install linux so I can't go back to check if it happens there as well.
At first I ignored it, thinking it's just a glitch, but by now it gets annoying and makes these mails pointless.
Beatrice Voxel
This definitely needs to be investigated, whether it be a one off, or something that's more pervasive.
Security measures that are so obnoxiously verbose that the user disables them, are not secure at all.
Gloss Doll
Jan 4
- Important: <Account A> accessed Second Life from a new machine. (same IP)Jan 4
- Important: <Account B> accessed Second Life from a new machine. (same IP)Gloss Doll
Jan 5
- Important: <Account A> accessed Second Life from a new machine. (same IP)Jan 5
- Important: <Account B> accessed Second Life from a new machine. (same IP)Gloss Doll
Jan 9 - Important: <Account B> accessed Second Life from a new machine. (same IP)
Jan 9 - Important: <Account A> accessed Second Life from a new machine. (same IP)
Gloss Doll
Jan 11 - Important: <Account A> accessed Second Life from a new machine. (same IP)
Jan 11 - Important: <Account B> accessed Second Life from a new machine. (same IP)
Gloss Doll
Jan 12 - Important: <Account A> accessed Second Life from a new machine. (same IP)
Jan 12 - Important: <Account B> accessed Second Life from a new machine. (same IP)
Gloss Doll
Jan 15 - Important: <Account A> accessed Second Life from a new machine. (same IP)
Jan 15 - Important: <Account B> accessed Second Life from a new machine. (same IP)
Gloss Doll
Jan 18 - Important: <Account A> accessed Second Life from a new machine. (same IP)
Jan 18 - Important: <Account B> accessed Second Life from a new machine. (same IP)
Gloss Doll
Jan 24 - Important: <Account A> accessed Second Life from a new machine. (same IP)
Jan 24 - Important: <Account B> accessed Second Life from a new machine. (same IP)