Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Incident Response

7 Million Impacted by Lifeboat Minecraft Community Breach

The accounts of more than 7 million members of the Minecraft community “Lifeboat” have been exposed after a data breach in early 2016.

The accounts of more than 7 million members of the Minecraft community “Lifeboat” have been exposed after a data breach in early 2016.

On Tuesday, security researcher Troy Hunt revealed on Twitter that the millions of accounts were exposed in January, and that he was uploading the data on his website, so that users could check to see if they were exposedin the breach. As usual, the data on his website comes from website breaches which have been made publicly available.

According to another tweet from the researcher, the data leak included email addresses and weakly hashed passwords, meaning that the attackers could decrypt them rather easily. This also means that users who might have been reusing the same password for other accounts could risk further compromise.

The Lifeboat community hosts custom, multiplayer environments of the mobile version of Minecraft, allowing users to engage into new game mods. The Lifeboat systems only keep usernames, hashed passwords and email addresses, which means that no other user data could have leaked following the breach.

What’s interesting, however, is that Lifeboat appears to have not informed users on the breach, and that it didn’t even publicly prompt any password resets. However, Lifeboat reportedly confirmed that it has been aware of the issue since January, while also suggesting that it has quietly prompted password resets to ensure hackers aren’t aware of that.

Moreover, a Lifeboat representative said that they haven’t received reports that people were damaged by the data breach. However, security researchers suggest that the data might be searchable online, meaning that at least accounts with weak passwords might be at risk.

Grayson Milbourne, the senior intelligence director at Webroot, told SecurityWeek in an email that the attack shows once again why people should use different passwords for different accounts. He also mentions the fact that Lifeboat themselves tell users to go for short passwords, albeit difficult to guess ones.

“More than likely this was an attack on LifeBoat’s servers which provided access to users’ account information. Lifeboat’s setup guide for Minecraft states the following when selecting a password – ‘we recommend short, but difficult to guess passwords. This is not online banking’,” Milbourne told SecurityWeek.

Advertisement. Scroll to continue reading.

“Since Lifeboat only keeps usernames, hashed password and email addresses, the amount of data collected is rather limited. Passwords where hashed, but with an easily crackable MD5 hash. This is yet another example of why it is important to use different passwords for different sites. Failing to do so can lead to further account compromise when one is breached. If unique passwords are too much effort, I recommend making sure your primary email uses a unique password from all other online accounts,” he added.

We have contacted Hydreon Corporation (Lifeboat Network is a registered trademark of Hydreon) for a comment on the breach and we will update the article as soon as a reply arrives.

Related: American Express Warns Cardholders of Data Breach

Related: Data Breach at UC Berkeley Impacts 80,000

Written By

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join the session as we discuss the challenges and best practices for cybersecurity leaders managing cloud identities.

Register

SecurityWeek’s Ransomware Resilience and Recovery Summit helps businesses to plan, prepare, and recover from a ransomware incident.

Register

Expert Insights

Related Content

Cybercrime

A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...

Data Breaches

LastPass DevOp engineer's home computer hacked and implanted with keylogging malware as part of a sustained cyberattack that exfiltrated corporate data from the cloud...

Incident Response

Microsoft has rolled out a preview version of Security Copilot, a ChatGPT-powered tool to help organizations automate cybersecurity tasks.

Data Breaches

GoTo said an unidentified threat actor stole encrypted backups and an encryption key for a portion of that data during a 2022 breach.

Application Security

GitHub this week announced the revocation of three certificates used for the GitHub Desktop and Atom applications.

Incident Response

Meta has developed a ten-phase cyber kill chain model that it believes will be more inclusive and more effective than the existing range of...

Cloud Security

VMware described the bug as an out-of-bounds write issue in its implementation of the DCE/RPC protocol. CVSS severity score of 9.8/10.