Over seven million user accounts from “Lifeboat”, a Minecraft community have been hacked due to the breach the community’s private server, back in January. The gamers, however, weren’t notified of the breach.
An independent security researcher has revealed that the breach exposed over 7 million users’ email details and that, amazingly, the private network did not inform the users of the breach.
The breach came to light when security researcher Troy Hunt told Motherboard that the data was communicated to him by an anonymous source who is actively involved in trading confidential data that often leads to identity theft.
The breached data includes email address and notably, lowly-hashed passwords which could mean that malicious hackers could plausibly obtain the complete passwords of users from the data.
As a company, Lifeboat runs private servers offering custom, multiplayer environments of the Minecraft Pocket Edition. To join the community, a user will have to register with a username and password.
In an email statement to Motherboard, a representative for Lifeboard flatly admitted to having known about the breach and came up with what they saw as a solution to the predicament.
When this happened [in] early January, we figured the best thing for our players was to quietly force a password reset without letting the hackers know they had limited time to act.
It could be argued that Lifeboat made the decision to hold back from publicly revealing the hack for the benefit of the users whilst subtly forcing all users to reset their passwords. However, the password reset endeavor was done “over a period of some weeks,” the representative added while insisting that no personal information was leaked since they aren’t retained by the servers.
Furthermore, the passwords contained in the breach were hashed with the weak MD5 algorithm, which can easily be broken by using simple, freely available password hacking tools that are found online.
Indeed, security researcher Hunt who revealed news of the breach stated:
I was able to easily verify people’s passwords with them simply by Googling them, such is the joy of unsalted MD5.
Hunt runs the popular breach notification website and resource “Have I been Pwned?”, a website that allows users to check if their account has been compromised by any breaches in the past.
Featured image from Shutterstock.