Minecraft community fansite “Lifeboat” has admitted that it suffered a data breach in January, after security researcher Troy Hunt added some of the stolen data to his “Have I Been Pwned?” website.
Lifeboat Network runs servers that players of the smartphone version of Minecraft can connect to in order to play in different game modes (CTF, survival games, etc.). In order to do that, they have to open an account.
Hunt was given the data – usernames, hashed passwords and email addresses of over 7 million users – by a source involved in data trading who has provided him with similar information in the past.
But, according to Motherboard’s Joseph Cox, the compromised passwords (hashed, but with an easily crackable MD5 hash) have already been changed, as Lifeboat has performed a low-key password reset in the weeks after the hack.
Affected users haven’t been notified of the breach, as Lifeboat apparently thought that as no personal or financial information wasn’t compromised (they don’t collect it), they could do without it.
Unfortunately, easily crackable passwords can be a way into other online accounts belonging to the same users, as research has shown that a great number of users recycle their passwords.
“This is yet another example of why it is important to use different passwords for different sites. Failing to do so can lead to further account compromise when one is breached,” Grayson Milbourne, Security Intelligence Director for cybersecurity company Webroot, pointed out, then advised: “If unique passwords are too much effort, I recommend making sure your primary email uses a unique password from all other online accounts.”
“More than likely this was an attack on LifeBoat’s servers which provided access to users’ account information,” he commented, and noted that Lifeboat’s setup guide for Minecraft states the following when selecting a password – ‘we recommend short, but difficult to guess passwords. This is not online banking.’