Over 7 Million Accounts for Minecraft Community Hacked

Joseph Cox, reporting for Motherboard: Over seven million user accounts belonging to members of Minecraft community "Lifeboat" have been hacked, according to security researcher Troy Hunt. Hunt said he will upload the data to his breach notification website "Have I Been Pwned?", which allows people to check if their account is compromised, on Tuesday, and that it includes email addresses and weakly hashed passwords -- meaning that hackers could likely obtain full passwords from some of the data. "The data was provided to me by someone actively involved in trading who's sent me other data in the past," Hunt, who has verified the data and sent Motherboard a redacted screenshot of some of it, said in an email.

TLDR: The stupid Lifeboat people used MD5 hashes

[xxxJonBoyxxx]

As per TFA, Lifeboat used MD5 hashes for passwords. Dumbasses. Who does that in 2016 anymore?

Re:Well... What can you expect from Microsoft?

This story doesn't have anything to do with Microsoft.
It's a 3rd party forum/service, and has nothing to do with actual Minecraft accounts.

It also happened several months ago, the provider has been forcing resets and changed their hashing algorithm to something not completely stupid.

Re:Was Rust being used? Probably not!

[xxxJonBoyxxx]

AFAIK, password hashing isn't built into Rust; you have to bolt on the necessary security from a third party.

In Rust, the default "hash" function (std::hash - https://doc.rust-lang.org/std/hash/) uses SipHash 2-4, which isn't cryptographically secure (http://crypto.stackexchange.com/questions/17996/is-siphash-cryptographically-secure). Developers need to use a third party "crate" like pwhash (https://users.rust-lang.org/t/pwhash-a-password-hashing-verification-library/4581) to get some decent hashing algorithms in their Rust app, and even then, Rust developers still need to be smart enough not to pick one of the insecure options. (Fortunately, the pwhash doc is pretty good.)