Wednesday 4 May 2016

Hackers Steal Millions of Minecraft Passwords

Minecraft

Minecraft Passwords Stolen by Hackers


Login data of more than seven million members of the Minecraft site Lifeboat has been stolen by hackers. Lifeboat is a service for determined servers and customized multiplayer games for Minecraft Pocket Edition and this data breach tends to affect customers who seem to use the service. If one has used Minecraft Pocket Edition without signing up for Lifeboat, it is ok but if one used Lifeboat, they would possibly get a message compelling them to change the password for the site in early 2015 which was because the company was aware about the hack, though it had not made the information public till recently. Lifeboat permits members to run servers for customised, multiplayer maps for smartphone edition of Minecraft.

There is confirmation that the information that is stolen comprising of email addresses and passwords is provided on site that trade in hacked data. Investigation recommends that passwords were weakly protected and hence attackers could work them out with ease. Evidence regarding the breach had been passed to Tony Hunt, independent security expert, who stated that he had received the list from someone who tends to trade in stolen identifications. Most of the people had informed him that the data had been circulating on dark net sites.

Passwords for Lifeboat Hashed – Little Security


Mr Hunt had mentioned that the data had been stolen in early 2016 though the breach had only been known, now. He said that passwords for Lifeboat accounts were hashed though the procedure utilised provided little security. Hashing is said to be a technique utilised to scramble passwords in order that they are not easily read if the data tends to get stolen or lost. According to Mr Hunt, usually a Google search for hashed password would practically provide it in an accurate plain text and people familiar in cracking tools could possibly computerize and accelerate this procedure.

He further stated that a Google search for a hashed password could quickly return the correct plain text value and well known cracking tools could automate as well as speed up this procedure. He had mentioned in a blogpost regarding the breach that a large percentage of those passwords would be reverted to plain text in a short time. He also informed that this often tends to lead to other security problems since several people re-use passwords and find out one which could lead attackers to compromise accounts on other sites. Lifeboat, in a statement provided to Motherboard, had stated that it had taken action in limiting the damage.

How to Minimise Damage to Users


It informed the news site that when this occurred in early January, they figured the best thing for their players was to quietly force password resets without letting the hackers know they had limited time to act, adding that it now used stronger hashing procedures. It also mentioned that they had not received any reports of anyone being damaged by this. Mr Hunthad been critical of the company for `quietly’ compelling the password re-set stating this policy had left him speechless.

As an alternative, he said that Lifeboat should have done more in alerting users so that they could change passwords rapidly if they used the same one on other sites. He said that the first thing which should be a priority with any company after an incident like this is `How to minimise the damage to the users’.

No comments:

Post a Comment

Note: only a member of this blog may post a comment.