SafeUM
Home Blog Services Download Help About Recharge

Axarhöfði 14, 110 Reykjavik, Iceland

Iceland - 2015
SafeUM
Blog
Services
Download
Help
About
Recharge
Menu
Archive
TOP Security!
28 Apr 2016

7 million unsalted MD5 passwords leaked by Minecraft community Lifeboat

Quite literally, every day someone gets hacked. Whether that's a telecommunications company having its customer data stolen, or another chain of businesses being ripped for all the credit cards it processes, today one hack just seems to melt into another.

Over 7 million user accounts belonging to members of Minecraft community “Lifeboat” have been hacked, according to security researcher Troy Hunt.

He said he will upload the data to his breach notification website “Have I Been Pwned?”, which allows people to check if their account is compromised, on Tuesday, and that it includes email addresses and weakly hashed passwords—meaning that hackers could likely obtain full passwords from some of the data. “The data was provided to me by someone actively involved in trading who's sent me other data in the past,” Hunt, who has verified the data and sent a redacted screenshot of some of it, said in an email.

Lifeboat runs servers for custom, multiplayer environments of Minecraft Pocket Edition—the smartphone version of the game—which allow Minecraft players to participate in different game modes, such as capture the flag or survival. To join the community, players download the normal Pocket Edition app, connect to a Lifeboat server, and register a username with an email address and password.

Hunt put experts in touch with several victims of the breach, who said they had not been informed by Lifeboat of the hack. “No lifeboat has not notified me of anything. Looks like they want to keep it [quiet], which I guess isn't that fair,” one user called Tyler, who said he was from Airdrie, Canada, told in an email. “They either didn't even notice yet or just don't care,” said a player named Henni.

“It's bad that they were breached in the first place, but not telling us about it is even worse,” Ali, who said they were from Wisconsin, added. Lifeboat said it had been aware of the breach for some time. “When this happened [in] early January we figured the best thing for our players was to quietly force a password reset without letting the hackers know they had limited time to act,” a Lifeboat representative said in an email. “We did this over a period of some weeks. We retain no personal information (name, address, age) about our players, so none was leaked.”

“We have not received any reports of anyone being damaged by this,” the representative added in another email. They did not reply when asked to clarify why the company did not inform users. The three players said they had not received a password reset. Although the passwords in the breach were hashed, they were done so with the notoriously weak MD5 algorithm, meaning that plenty of the passwords could be figured out with the use of online tools.

“I was able to easily verify people's passwords with them simply by Googling them, such is the joy of unsalted MD5,” Hunt said. Motherboard confirmed that one of the hashes provided by Hunt corresponded to an easily guessable password. The Lifeboat representative said that the company now uses a stronger hashing algorithm.

Naturally, if victims have used the same passwords on other services, such as their email, anyone in possession of the data has a chance of accessing those accounts too. Lifeboat's approach to security appears to be demonstrated in a how-to guide on its website. “By the way, we recommend short, but difficult to guess passwords. This is not online banking,” it reads.

The lesson: If you care about the security of your accounts, you should really be using strong, unique passwords for each. That way, when a breach occurs on one service—and they will clearly happen—hackers will only be able to access that specific account.

Tags:
hackers information leaks password
Source:
Motherboard
2465
Other NEWS
3 Jul 2020 safeum news imgage An encrypted messaging service has been infiltrated by police
4 May 2020 safeum news imgage Two-Factor Authentication ​What Is It and Why You Should Use It
12 Dec 2019 safeum news imgage Encryption is under threat - this is how it affects you
4 Nov 2019 safeum news imgage Should Big Decisions Be Based on Data or Your Intuition?
7 Jun 2018 safeum news imgage VPNFilter malware infecting 500,000 devices is worse than we thought
4 Jun 2018 safeum news imgage Hackers target Booking.com in criminal bid to steal hundreds of thousands from customers
1 Jun 2018 safeum news imgage Operator of World's Top Internet Hub Sues German Spy Agency
30 May 2018 safeum news imgage US says North Korea behind malware attacks
29 May 2018 safeum news imgage Facebook and Google targeted as first GDPR complaints filed
25 May 2018 safeum news imgage A new reason to not buy these cheap Android devices
24 May 2018 safeum news imgage Flaws in smart pet devices, apps could come back to bite owners
23 May 2018 safeum news imgage Google sued for 'clandestine tracking' of 4.4m UK iPhone users' browsing data
21 May 2018 safeum news imgage LocationSmart reportedly leaked phone location data onto the web
18 May 2018 safeum news imgage The SEC created its own scammy ICO to teach investors a lesson
17 May 2018 safeum news imgage Thieves suck millions out of Mexican banks in transfer heist
All news
SafeUM
Confidential Terms of Use Our technologies Company
Follow us
Download
SafeUM © Safe Universal Messenger

Axarhöfði 14,
110 Reykjavik, Iceland

Iceland - 2015