Email
Password
Remember meForgot password?
    Log in with Twitter

article imagePasswords of seven million Minecraft players being sold online

By James Walker     Apr 29, 2016 in Technology
The passwords to over seven million user accounts owned by members of a popular Minecraft community have been hacked and are now being offered for sale on the dark net. The community, Lifeboat, didn't notify users until three months after the breach.
Lifeboat runs multiplayer servers for Minecraft: Pocket Edition on smartphones. The servers allow players from around the world to participate together in different game modes on the mobile edition of Minecraft.
Security researcher Troy Hunt recently told Motherboard that the community has been hacked and over seven million user accounts stolen. Hunt runs the website Have I Been Pwned, a resource that allows users to see all the data breaches they have been involved in by typing their email address into a search tool.
Hunt was contacted by a trusted source who found the Lifeboat data on the dark web. He was able to verify the authenticity of the data and is in the process of uploading it to Have I Been Pwned, allowing users to check if they were involved.
Lifeboat has been criticised for its response to the breach. The site has confirmed the data was stolen in January, over three months ago. It has only just contacted its users and admitted it was successfully hacked.
The company defended itself in an email to Motherboard, saying it "figured the best thing for our players was to quietly force a password reset." It added it didn't want to let the hackers know they had limited time to act.
Lifeboat does not store any personal data such as names, addresses, ages or payment cards. The hackers made off with only email addresses and passwords. These are still very valuable resources because many people use the same password across multiple websites. The hackers could use the data to access social media, banking and shopping sites. The account holder would be unaware of what was going on due to Lifeboat's decision not to act.
"I was stunned when I read this - you mean they knew about the incident and decided to cover it up!?" said Hunt in a blog post. "I'm used to seeing organisations genuinely have no idea they've been hacked but to see one that actually knew about it - a 7 million record breach at that - and then consciously silence the incident without telling anyone left me speechless."
If the site had contacted its users, they would be able to change their password on all affected sites. Deciding to cover the incident up so as not to alert the attackers is irresponsible and dangerous. The company's approach to security is summed up in a guide on its website in which it advises "we recommend short, but difficult to guess passwords. This is not online banking."
Long passwords should always be used, regardless of the service they are protecting. Hunt noted that sites quickly become online banking when their data is stolen and people are using the same password for multiple sites.
The seven million user accounts are being added to Have I Been Pwned. Once the data is live, the Lifeboat breach will be included when people type in their email address to see if it is included in any of the data dumps known by the site.
The Lifeboat hack is almost a mirror image of the last breach Hunt added to the site. Last week, a hack of gaming forum TruckersMP which exposed the data of 80,000 users was uploaded. TruckersMP is a free third-party multiplayer mod for the popular trucking games American Truck Simulator and Euro Truck Simulator 2 by SCS Software.
The breach was unique because it was the first time ever that Hunt was contacted by the firm that had been hacked. In a blog post titled "100 data breaches later, Have I been pwned gets its first self-submission," Hunt explained how he recently received an email from TruckersMP's administrator that requested the accounts be added to the site.
Hunt praised the TruckersMP team for their response to the incident. They publicly notified users just two hours and nine minutes after they became aware of the hack. That was 30 minutes after it took place. Lifeboat has left it three months before owning up to being hacked, and even then has done so without any obvious effort to help its users.
More about minecraft, Hack, Security, Server, Hackers
 
Latest News
Top News