The accounts of more than 7 million members of the Minecraft community “Lifeboat” have been exposed after a data breach in early 2016.
On Tuesday, security researcher Troy Hunt revealed on Twitter that the millions of accounts were exposed in January, and that he was uploading the data on his website, so that users could check to see if they were exposedin the breach. As usual, the data on his website comes from website breaches which have been made publicly available.
According to another tweet from the researcher, the data leak included email addresses and weakly hashed passwords, meaning that the attackers could decrypt them rather easily. This also means that users who might have been reusing the same password for other accounts could risk further compromise.
The Lifeboat community hosts custom, multiplayer environments of the mobile version of Minecraft, allowing users to engage into new game mods. The Lifeboat systems only keep usernames, hashed passwords and email addresses, which means that no other user data could have leaked following the breach.
What’s interesting, however, is that Lifeboat appears to have not informed users on the breach, and that it didn’t even publicly prompt any password resets. However, Lifeboat reportedly confirmed that it has been aware of the issue since January, while also suggesting that it has quietly prompted password resets to ensure hackers aren’t aware of that.
Moreover, a Lifeboat representative said that they haven’t received reports that people were damaged by the data breach. However, security researchers suggest that the data might be searchable online, meaning that at least accounts with weak passwords might be at risk.
Grayson Milbourne, the senior intelligence director at Webroot, told SecurityWeek in an email that the attack shows once again why people should use different passwords for different accounts. He also mentions the fact that Lifeboat themselves tell users to go for short passwords, albeit difficult to guess ones.
“More than likely this was an attack on LifeBoat’s servers which provided access to users’ account information. Lifeboat’s setup guide for Minecraft states the following when selecting a password – ‘we recommend short, but difficult to guess passwords. This is not online banking’,” Milbourne told SecurityWeek.
“Since Lifeboat only keeps usernames, hashed password and email addresses, the amount of data collected is rather limited. Passwords where hashed, but with an easily crackable MD5 hash. This is yet another example of why it is important to use different passwords for different sites. Failing to do so can lead to further account compromise when one is breached. If unique passwords are too much effort, I recommend making sure your primary email uses a unique password from all other online accounts,” he added.
We have contacted Hydreon Corporation (Lifeboat Network is a registered trademark of Hydreon) for a comment on the breach and we will update the article as soon as a reply arrives.