Security Experts:

Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Incident Response

7 Million Impacted by Lifeboat Minecraft Community Breach

The accounts of more than 7 million members of the Minecraft community “Lifeboat” have been exposed after a data breach in early 2016.

The accounts of more than 7 million members of the Minecraft community “Lifeboat” have been exposed after a data breach in early 2016.

On Tuesday, security researcher Troy Hunt revealed on Twitter that the millions of accounts were exposed in January, and that he was uploading the data on his website, so that users could check to see if they were exposedin the breach. As usual, the data on his website comes from website breaches which have been made publicly available.

According to another tweet from the researcher, the data leak included email addresses and weakly hashed passwords, meaning that the attackers could decrypt them rather easily. This also means that users who might have been reusing the same password for other accounts could risk further compromise.

The Lifeboat community hosts custom, multiplayer environments of the mobile version of Minecraft, allowing users to engage into new game mods. The Lifeboat systems only keep usernames, hashed passwords and email addresses, which means that no other user data could have leaked following the breach.

What’s interesting, however, is that Lifeboat appears to have not informed users on the breach, and that it didn’t even publicly prompt any password resets. However, Lifeboat reportedly confirmed that it has been aware of the issue since January, while also suggesting that it has quietly prompted password resets to ensure hackers aren’t aware of that.

Moreover, a Lifeboat representative said that they haven’t received reports that people were damaged by the data breach. However, security researchers suggest that the data might be searchable online, meaning that at least accounts with weak passwords might be at risk.

Grayson Milbourne, the senior intelligence director at Webroot, told SecurityWeek in an email that the attack shows once again why people should use different passwords for different accounts. He also mentions the fact that Lifeboat themselves tell users to go for short passwords, albeit difficult to guess ones.

“More than likely this was an attack on LifeBoat’s servers which provided access to users’ account information. Lifeboat’s setup guide for Minecraft states the following when selecting a password – ‘we recommend short, but difficult to guess passwords. This is not online banking’,” Milbourne told SecurityWeek.

“Since Lifeboat only keeps usernames, hashed password and email addresses, the amount of data collected is rather limited. Passwords where hashed, but with an easily crackable MD5 hash. This is yet another example of why it is important to use different passwords for different sites. Failing to do so can lead to further account compromise when one is breached. If unique passwords are too much effort, I recommend making sure your primary email uses a unique password from all other online accounts,” he added.

We have contacted Hydreon Corporation (Lifeboat Network is a registered trademark of Hydreon) for a comment on the breach and we will update the article as soon as a reply arrives.

Related: American Express Warns Cardholders of Data Breach

Related: Data Breach at UC Berkeley Impacts 80,000

Written By

Click to comment

Expert Insights

Related Content

Data Breaches

GoTo said an unidentified threat actor stole encrypted backups and an encryption key for a portion of that data during a 2022 breach.

Incident Response

Cygnvs emerges from stealth mode with an incident response platform and $55 million in Series A funding.

Incident Response

A new Mississippi Cyber Unit will be the state’s centralized cybersecurity threat information, mitigation and incident reporting and response center.

Data Breaches

T-Mobile disclosed another massive data breach affecting approximately 37 million customer accounts.

Funding/M&A

Thoma Bravo will spend $1.3 billion to acquire Canadian software firm Magnet Forensics, expanding a push into the lucrative cybersecurity business.

Cybercrime

A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...

Cybercrime

Albanian prosecutors on Wednesday asked for the house arrest of five public employees they blame for not protecting the country from a cyberattack by...

Application Security

Password management firm LastPass says the hackers behind an August data breach stole a massive stash of customer data, including password vault data that...