Over 7 Million Accounts for Minecraft Community Hacked

Joseph Cox, reporting for Motherboard: Over seven million user accounts belonging to members of Minecraft community "Lifeboat" have been hacked, according to security researcher Troy Hunt. Hunt said he will upload the data to his breach notification website "Have I Been Pwned?", which allows people to check if their account is compromised, on Tuesday, and that it includes email addresses and weakly hashed passwords -- meaning that hackers could likely obtain full passwords from some of the data. "The data was provided to me by someone actively involved in trading who's sent me other data in the past," Hunt, who has verified the data and sent Motherboard a redacted screenshot of some of it, said in an email.

Re:

[Anonymous Coward]

This story doesn't have anything to do with Microsoft.
It's a 3rd party forum/service, and has nothing to do with actual Minecraft accounts.

It also happened several months ago, the provider has been forcing resets and changed their hashing algorithm to something not completely stupid.

Re:

[fluffernutter]

So now the question becomes... If they had used a Microsoft sanctioned code base would it have been any different? This is why I was a bit surprised Microsoft bought Minecraft.

TLDR: The stupid Lifeboat people used MD5 hashes

[xxxJonBoyxxx]

As per TFA, Lifeboat used MD5 hashes for passwords. Dumbasses. Who does that in 2016 anymore?

Re:

[U2xhc2hkb3QgU3Vja3M]

I know, right? ROT13 is much better and ROT26 is twice as good.

Re:

[Anonymous Coward]

One of the common themes in all of the security breaches and software security bugs that we've encountered lately is that an intelligent programmer isn't being used.

As these breaches continue to happen, the more I realize that we need to start rewriting all of our software to use an intelligent programmer. It won't be an easy process, of course. Nothing worth doing ever is easy! But once we do rewrite all of our software using a person that's as safe as an intelligent programmer then we'll all be a lot bett

Oh, look. It's the Hipster Switcharoo Fallacy.

[Anonymous Coward]

You've committed the Hipster Switcharoo Fallacy. This logical fallacy, typically committed by hipsters, involves taking a sound, sensible argument and using it as a template when creating a new argument that's supposed to contradict the original argument. A few words are switched, and the hipster thinks he has come up with a witty rebuttal to the argument, when in reality he has only made himself look like a blithering idiot. The new argument is typically flawed in most ways.

First of all, you forgot to swit

Re:

[Anonymous Coward]

It's not that the programmers are unintelligent, it's that they don't understand or know about security. Worse yet, they might think they do know a lot about security. I've been in the automotive industry for a decade, and I did write some crypto-using code for a secure update and configuration channel when I was a young guy. But, the key interface was designed AND implemented by a more senior engineer, and he reviewed my code as well. I wrote tests for his part. Now, I know enough about security to be scar

Re:Was Rust being used? Probably not!

[xxxJonBoyxxx]

AFAIK, password hashing isn't built into Rust; you have to bolt on the necessary security from a third party.

In Rust, the default "hash" function (std::hash - https://doc.rust-lang.org/std/hash/) uses SipHash 2-4, which isn't cryptographically secure (http://crypto.stackexchange.com/questions/17996/is-siphash-cryptographically-secure). Developers need to use a third party "crate" like pwhash (https://users.rust-lang.org/t/pwhash-a-password-hashing-verification-library/4581) to get some decent hashing algorithms in their Rust app, and even then, Rust developers still need to be smart enough not to pick one of the insecure options. (Fortunately, the pwhash doc is pretty good.)

Re:

[Anonymous Coward]

What gets me is that in 2016, most web management software requires you to use 3rd party solutions to properly protect passwords.We have know that encrypting, hashing and salting passwords in the DB should be done in all cases, for the past 10 years at least, but most software makes a web developer look elsewhere for the functionality.

Re:

[ole_timer]

a minecraft account with a score (or whatever it is called to have points) is worth more than a credit card on hacker bulletin boards, it's simple economics.

Re:

[U2xhc2hkb3QgU3Vja3M]

I'm sorry, is there a secret underground war between Minecraft players and Facebook users that we don't know about?

Re:

[khallow]

Sure! I have the comic books to prove it. But I can't show you them otherwise it wouldn't be secret any more.

Re:

[ole_timer]

facebook is a security breach, why hack it?

"Have I Been Pwned?"

[fustakrakich]

No, but if you ask and draw attention to yourself, you probably will be... or an arrest warrant may pop up... It's almost quantum. Asking questions about something or someone will have an effect on it/them

As always...

[EmeraldBot]

As always, make sure you check haveibeenpwned [haveibeenpwned.com] to see if you're affected. For those who are, please be absolutely sure to change your passwords as md5 isn't secure anymore. If that's a huge hassle, then you've been reusing the same password - a big no-no, take this opportunity to use multiple. Not only will it make your life much more secure, but it makes situations such as these much easier, and you'll be glad you did so next time.

Re:

[Anonymous Coward]

Uh Oh... results for "nobody@example.com":

"Pwned on 6 breached sites and found 3 pastes (subscribe to search sensitive breaches)"

Re:

[jeremyp]

For super accurate results, enter your user name and password into the form provided. Then the answer is guaranteed to be correct.

Lifeboat accounts hacked, not Minecraft accounts

[Krazy Kanuck]

Per the article: "To join the community, players download the normal Pocket Edition app, connect to a Lifeboat server, and register a username with an email address and password." Its a big difference, granted some percentage of that user base was probably dumb enough to use the same password.

Uh oh

[goldaryn]

There's a lots of Minecrafters bricking it right now..