Another Day, Another Hack: 7 Million Accounts for Minecraft Community ‘Lifeboat’
Security researcher Troy Hunt obtained data containing email addresses and passwords hashed with the weak MD5 algorithm.
Quite literally, every day someone gets hacked. Whether that's a telecommunications company having its customer data stolen, or another chain of businesses being ripped for all the credit cards it processes, today one hack just seems to melt into another.
In our series Another Day, Another Hack, we do short posts giving you what you need to know about the hack, so you can figure out whether your bank account, website logins or anything else might be at risk. Because, even if the hack might not be the most sophisticated, real people are still getting fucked over somewhere, and should know about it.
Over seven million user accounts belonging to members of Minecraft community "Lifeboat" have been hacked, according to security researcher Troy Hunt.
Hunt said he will upload the data to his breach notification website "Have I Been Pwned?", which allows people to check if their account is compromised, on Tuesday, and that it includes email addresses and weakly hashed passwords—meaning that hackers could likely obtain full passwords from some of the data.
"The data was provided to me by someone actively involved in trading who's sent me other data in the past," Hunt, who has verified the data and sent Motherboard a redacted screenshot of some of it, said in an email.
Lifeboat runs servers for custom, multiplayer environments of Minecraft Pocket Edition—the smartphone version of the game—which allow Minecraft players to participate in different game modes, such as capture the flag or survival. To join the community, players download the normal Pocket Edition app, connect to a Lifeboat server, and register a username with an email address and password.
Hunt put Motherboard in touch with several victims of the breach, who said they had not been informed by Lifeboat of the hack.
"No lifeboat has not notified me of anything. Looks like they want to keep it [quiet], which I guess isn't that fair," one user called Tyler, who said he was from Airdrie, Canada, told Motherboard in an email.
"They either didn't even notice yet or just don't care," said a player named Henni.
"It's bad that they were breached in the first place, but not telling us about it is even worse," Ali, who said they were from Wisconsin, added.
Lifeboat said it had been aware of the breach for some time.
"When this happened [in] early January we figured the best thing for our players was to quietly force a password reset without letting the hackers know they had limited time to act," a Lifeboat representative said in an email. "We did this over a period of some weeks. We retain no personal information (name, address, age) about our players, so none was leaked."
"We have not received any reports of anyone being damaged by this," the representative added in another email. They did not reply when asked to clarify why the company did not inform users. The three players Motherboard spoke to said they had not received a password reset.
"I was able to easily verify people's passwords with them simply by Googling them, such is the joy of unsalted MD5," Hunt said. Motherboard confirmed that one of the hashes provided by Hunt corresponded to an easily guessable password. The Lifeboat representative said that the company now uses a stronger hashing algorithm.
Naturally, if victims have used the same passwords on other services, such as their email, anyone in possession of the data has a chance of accessing those accounts too.
Lifeboat's approach to security appears to be demonstrated in a how-to guide on its website. "By the way, we recommend short, but difficult to guess passwords. This is not online banking," it reads.
The lesson: If you care about the security of your accounts, you should really be using strong, unique passwords for each. That way, when a breach occurs on one service—and they will clearly happen—hackers will only be able to access that specific account.