Industry News

7 million Minecraft Pocket Edition players put at risk after Lifeboat hack

Over seven million members of the independent Minecraft “Lifeboat” community have had their security and privacy put at risk after hackers breached servers and stole usernames, email addresses and MD5-hashed passwords.

It’s important to note that only players of the smartphone edition of Minecraft were affected, and even then only if they were members of the independent “Lifeboat” community, which runs a variety of servers offering free-to-play multi-player games on the Minecraft platform.

All the same, Lifeboat has over seven million users. And unsalted MD5 hashes are a notoriously weak way to secure passwords, making it trivial for criminals to crack.

To make matters worse, as Lifeboat tells Motherboard, the security breach happened in January – and the company did not inform its users that an incident had occurred and that gamers would be wise to ensure they were not using the same passwords anywhere else on the web:

“When this happened [in] early January we figured the best thing for our players was to quietly force a password reset without letting the hackers know they had limited time to act. We did this over a period of some weeks. We retain no personal information (name, address, age) about our players, so none was leaked.”

In short, for the last four months passwords belonging to members of the Lifeboat community have been in the hands of online criminals, who could have used them to break into innocent people’s other online accounts. Lifeboat knew about this, but didn’t tell its users.

Could a worse picture be painted of how well Lifeboat was caring for its users?

Well, yes. Perhaps it could.

Check out this section of Lifeboat’s “Getting Started” guide:

“You will then be prompted for a password and an email. Use a real email“ You will need to use it if if you ever forget your password, so be sure it is valid. By the way, we recommend short, but difficult to guess passwords. This is not online banking.”

lifeboat-password

Yup, they recommended short passwords… Quite what they perceive the benefit to be of short passwords for anyone other than criminals trying to crack them I cannot imagine.

And yes, Lifeboat isn’t an online bank.

But if you use the same password on Lifeboat as your eBay, Amazon, GMail or any other online account – then you can easily see why such sloppy security practices by even a gaming site could be disastrous. Especially if you don’t bother to tell your users that there’s an issue…

Getting hacked is bad enough. Not telling your users is unforgivable.

Thank heavens security researcher Troy Hunt, who runs the HaveIBeenPwned breach notification service, was contacted by someone who had access to the data, and users are now being informed of the risk.

About the author

Graham CLULEY

Graham Cluley is an award-winning security blogger, researcher and public speaker. He has been working in the computer security industry since the early 1990s, having been employed by companies such as Sophos, McAfee and Dr Solomon's. He has given talks about computer security for some of the world's largest companies, worked with law enforcement agencies on investigations into hacking groups, and regularly appears on TV and radio explaining computer security threats.

Graham Cluley was inducted into the InfoSecurity Europe Hall of Fame in 2011, and was given an honorary mention in the "10 Greatest Britons in IT History" for his contribution as a leading authority in internet security.

1 Comment

Click here to post a comment

This site uses Akismet to reduce spam. Learn how your comment data is processed.

  • As a parent I find this very disturbing and I'm glad we are valiant at using complex passwords in our home, however the advice given by Lifeboat upon registration is unconscionable and likely has caused this hack to take place. To add insult to injury but not advising their users, that's just messed up!