Over seven million members of the independent Minecraft “Lifeboat” community have had their security and privacy put at risk after hackers breached servers and stole usernames, email addresses and MD5-hashed passwords.
It’s important to note that only players of the smartphone edition of Minecraft were affected, and even then only if they were members of the independent “Lifeboat” community, which runs a variety of servers offering free-to-play multi-player games on the Minecraft platform.
All the same, Lifeboat has over seven million users. And unsalted MD5 hashes are a notoriously weak way to secure passwords, making it trivial for criminals to crack.
To make matters worse, as Lifeboat tells Motherboard, the security breach happened in January – and the company did not inform its users that an incident had occurred and that gamers would be wise to ensure they were not using the same passwords anywhere else on the web:
“When this happened [in] early January we figured the best thing for our players was to quietly force a password reset without letting the hackers know they had limited time to act. We did this over a period of some weeks. We retain no personal information (name, address, age) about our players, so none was leaked.”
In short, for the last four months passwords belonging to members of the Lifeboat community have been in the hands of online criminals, who could have used them to break into innocent people’s other online accounts. Lifeboat knew about this, but didn’t tell its users.
Could a worse picture be painted of how well Lifeboat was caring for its users?
Well, yes. Perhaps it could.
Check out this section of Lifeboat’s “Getting Started” guide:
“You will then be prompted for a password and an email. Use a real email“ You will need to use it if if you ever forget your password, so be sure it is valid. By the way, we recommend short, but difficult to guess passwords. This is not online banking.”
Yup, they recommended short passwords… Quite what they perceive the benefit to be of short passwords for anyone other than criminals trying to crack them I cannot imagine.
And yes, Lifeboat isn’t an online bank.
But if you use the same password on Lifeboat as your eBay, Amazon, GMail or any other online account – then you can easily see why such sloppy security practices by even a gaming site could be disastrous. Especially if you don’t bother to tell your users that there’s an issue…
Getting hacked is bad enough. Not telling your users is unforgivable.
Thank heavens security researcher Troy Hunt, who runs the HaveIBeenPwned breach notification service, was contacted by someone who had access to the data, and users are now being informed of the risk.