Slashdot Mirror
Over 7 Million Accounts for Minecraft Community Hacked (vice.com)
Joseph Cox, reporting for Motherboard: Over seven million user accounts belonging to members of Minecraft community "Lifeboat" have been hacked, according to security researcher Troy Hunt. Hunt said he will upload the data to his breach notification website "Have I Been Pwned?", which allows people to check if their account is compromised, on Tuesday, and that it includes email addresses and weakly hashed passwords -- meaning that hackers could likely obtain full passwords from some of the data. "The data was provided to me by someone actively involved in trading who's sent me other data in the past," Hunt, who has verified the data and sent Motherboard a redacted screenshot of some of it, said in an email.
As per TFA, Lifeboat used MD5 hashes for passwords. Dumbasses. Who does that in 2016 anymore?
This story doesn't have anything to do with Microsoft.
It's a 3rd party forum/service, and has nothing to do with actual Minecraft accounts.
It also happened several months ago, the provider has been forcing resets and changed their hashing algorithm to something not completely stupid.
No, but if you ask and draw attention to yourself, you probably will be... or an arrest warrant may pop up... It's almost quantum. Asking questions about something or someone will have an effect on it/them
“He’s not deformed, he’s just drunk!”
I know, right? ROT13 is much better and ROT26 is twice as good.
I'm sorry, is there a secret underground war between Minecraft players and Facebook users that we don't know about?
facebook is a security breach, why hack it?
nothing to see here - move along
So now the question becomes... If they had used a Microsoft sanctioned code base would it have been any different? This is why I was a bit surprised Microsoft bought Minecraft.
Laws are rules for the court, but merely a bottom bar to hit for life. Think beyond laws in your actions always.
One of the common themes in all of the security breaches and software security bugs that we've encountered lately is that an intelligent programmer isn't being used.
As these breaches continue to happen, the more I realize that we need to start rewriting all of our software to use an intelligent programmer. It won't be an easy process, of course. Nothing worth doing ever is easy! But once we do rewrite all of our software using a person that's as safe as an intelligent programmer then we'll all be a lot better off.
If we eliminate dumb programmers as the main source of security problems, then we can focus more energy on tackling other non-software security problems, like social engineering and faulty hardware.
When software security is the problem, then I think that the Rust programming language is the answer.
As always, make sure you check haveibeenpwned to see if you're affected. For those who are, please be absolutely sure to change your passwords as md5 isn't secure anymore. If that's a huge hassle, then you've been reusing the same password - a big no-no, take this opportunity to use multiple. Not only will it make your life much more secure, but it makes situations such as these much easier, and you'll be glad you did so next time.
"Set a man a fire, he'll be warm for the rest of the night. Set a man afire, he'll be warm for the rest of his life."
AFAIK, password hashing isn't built into Rust; you have to bolt on the necessary security from a third party.
In Rust, the default "hash" function (std::hash - https://doc.rust-lang.org/std/hash/) uses SipHash 2-4, which isn't cryptographically secure (http://crypto.stackexchange.com/questions/17996/is-siphash-cryptographically-secure). Developers need to use a third party "crate" like pwhash (https://users.rust-lang.org/t/pwhash-a-password-hashing-verification-library/4581) to get some decent hashing algorithms in their Rust app, and even then, Rust developers still need to be smart enough not to pick one of the insecure options. (Fortunately, the pwhash doc is pretty good.)
Sure! I have the comic books to prove it. But I can't show you them otherwise it wouldn't be secret any more.
a minecraft account with a score (or whatever it is called to have points) is worth more than a credit card on hacker bulletin boards, it's simple economics.
nothing to see here - move along
You've committed the Hipster Switcharoo Fallacy. This logical fallacy, typically committed by hipsters, involves taking a sound, sensible argument and using it as a template when creating a new argument that's supposed to contradict the original argument. A few words are switched, and the hipster thinks he has come up with a witty rebuttal to the argument, when in reality he has only made himself look like a blithering idiot. The new argument is typically flawed in most ways.
First of all, you forgot to switch the last line of the original comment, which ends up contradicting your pathetic rebuttal attempt! By forgetting to change that line it makes it look like you're supporting the original argument.
Ignoring that obvious mistake, your argument doesn't even make any sense. Rust, by its very nature of being a damn difficult and awkward language to use, inherently drives away "dumb" programmers. The only people who can manage to figure out and use Rust are highly intelligent. You need to be well above average to understand and to use its resource ownership techniques. I mean, if you don't understand them then your code probably won't even compile. So yet again you actually proved the original argument, while pathetically trying to prove it wrong.
Your comment serves as a superb example of why hipsters should always avoid the Hipster Switcheroo Fallacy. It always ends up blowing up in your faces, and always proves the original argument to be correct!
Per the article: "To join the community, players download the normal Pocket Edition app, connect to a Lifeboat server, and register a username with an email address and password." Its a big difference, granted some percentage of that user base was probably dumb enough to use the same password.
So now the question becomes... If they had used a Microsoft sanctioned code base would it have been any different? This is why I was a bit surprised Microsoft bought Minecraft.
You're still not getting this.
It has nothing to do with Microsoft or Mojang. Put simply - someone has a fan site, that site got hacked.
It's not that the programmers are unintelligent, it's that they don't understand or know about security. Worse yet, they might think they do know a lot about security. I've been in the automotive industry for a decade, and I did write some crypto-using code for a secure update and configuration channel when I was a young guy. But, the key interface was designed AND implemented by a more senior engineer, and he reviewed my code as well. I wrote tests for his part. Now, I know enough about security to be scared, but in those days, I was just cocky enough that I shouldn't have been allowed to write the crypto interface code (the crypto library was purchased as a library). I wasn't dumb, just ignorant. Security is hard to get right, and testing doesn't work the same as functional testing. The simple fact is that any networked software (which is pretty much all software anymore) needs at least one seasoned and trained engineer tasked with ownership of the security aspects. And, standard best practices like risk assessments, external pen testing and vulnerability tracking should be incorporated into the development lifecycle. I would argue that the problem is anything but dumb programmers. The problem is excellent programmers who write great functional code, but don't understand the subtly of systems security. Same with architects even.
One of the common themes in reality is that the Rust programming language isn't being used. And it never will be.
FTFY
The servers are Microsoft products... They run on Microsoft servers...
Use Microsoft products at your own risk.
Insecure at any location.
What gets me is that in 2016, most web management software requires you to use 3rd party solutions to properly protect passwords.We have know that encrypting, hashing and salting passwords in the DB should be done in all cases, for the past 10 years at least, but most software makes a web developer look elsewhere for the functionality.
Was someone triggered by the idea of secure hashing built in to the language?
Rust is secure because no one is both stupid and popular enough to create a program that will see widespread use with it. It's the same reason Haskell has no side effects: someone would need to run the application first.
There's a lots of Minecrafters bricking it right now..
That's what happens when a game is primarily played by children: The community websites are probably made by teenagers...
Java supports PWKBF2 out of the box, but it's use is not entirely straightforward. I would imagine that other platforms with similar standard libraries (.NET?) probably have the same support... and the same problem. It's still only something like 5-10 lines of code, but ain't nobody got time fo dat.
Everybody uses MD5 because there is a simple function called md5() (or, in Java, the MessageDigest class which supports most of the well-known hashing functions), but no salting or iterations or anything like that.
If PBKDF2 were as easy to use as MD5 (or other hashes), I think people would use them more frequently.
Is it just me or has anyone else noticed that it is practically impossible to download ANYTHING related to Minecraft without getting infected with malware, trojan, virus, etc etc. Whenever my kids want a new mod, I am forced to use a virtualized desktop to download the mod.