Over 7 Million Accounts for Minecraft Community Hacked

Joseph Cox, reporting for Motherboard: Over seven million user accounts belonging to members of Minecraft community "Lifeboat" have been hacked, according to security researcher Troy Hunt. Hunt said he will upload the data to his breach notification website "Have I Been Pwned?", which allows people to check if their account is compromised, on Tuesday, and that it includes email addresses and weakly hashed passwords -- meaning that hackers could likely obtain full passwords from some of the data. "The data was provided to me by someone actively involved in trading who's sent me other data in the past," Hunt, who has verified the data and sent Motherboard a redacted screenshot of some of it, said in an email.

it wuz teh haxx0rz wif teh haxx!

Because anything wrong on teh intarwebz attributable to yourself is better attributed to that cyber bogeyman, teh haxx0r.

Well... What can you expect from Microsoft?

Security? Not a chance.

Re:Well... What can you expect from Microsoft?

This story doesn't have anything to do with Microsoft.
It's a 3rd party forum/service, and has nothing to do with actual Minecraft accounts.

It also happened several months ago, the provider has been forcing resets and changed their hashing algorithm to something not completely stupid.

Re:Well... What can you expect from Microsoft?

[fluffernutter]

So now the question becomes... If they had used a Microsoft sanctioned code base would it have been any different? This is why I was a bit surprised Microsoft bought Minecraft.

Re:Well... What can you expect from Microsoft?

So now the question becomes... If they had used a Microsoft sanctioned code base would it have been any different? This is why I was a bit surprised Microsoft bought Minecraft.

You're still not getting this.
It has nothing to do with Microsoft or Mojang. Put simply - someone has a fan site, that site got hacked.

Re:Well... What can you expect from Microsoft?

The servers are Microsoft products... They run on Microsoft servers...

Use Microsoft products at your own risk.

Insecure at any location.

TLDR: The stupid Lifeboat people used MD5 hashes

[xxxJonBoyxxx]

As per TFA, Lifeboat used MD5 hashes for passwords. Dumbasses. Who does that in 2016 anymore?

Clearly Micro$oft's Fault

This never would have happened if Micro$oft hadn't bought Minecraft.

Re:Clearly Micro$oft's Fault

[ole_timer]

a minecraft account with a score (or whatever it is called to have points) is worth more than a credit card on hacker bulletin boards, it's simple economics.

My God...

The sperg rage will kill us all.

Who cares?

I sure as hell don't.

You people deserve this

You always say that people who use Facebook deserve security breaches. It seems the tables have been turned. You pretentious nerd bastards deserve this. Any security breaches that affect you are poetic justice.

Re:You people deserve this

[U2xhc2hkb3QgU3Vja3M]

I'm sorry, is there a secret underground war between Minecraft players and Facebook users that we don't know about?

Re:You people deserve this

[ole_timer]

facebook is a security breach, why hack it?

Re:You people deserve this

[khallow]

Sure! I have the comic books to prove it. But I can't show you them otherwise it wouldn't be secret any more.

"Have I Been Pwned?"

[fustakrakich]

No, but if you ask and draw attention to yourself, you probably will be... or an arrest warrant may pop up... It's almost quantum. Asking questions about something or someone will have an effect on it/them

Re:TLDR: The stupid Lifeboat people used MD5 hashe

[U2xhc2hkb3QgU3Vja3M]

I know, right? ROT13 is much better and ROT26 is twice as good.

Was Rust being used? Probably not!

One of the common themes in all of the security breaches and software security bugs that we've encountered lately is that the Rust programming language isn't being used.

Rust is a programming language that, according to its web site, "prevents segfaults" and "guarantees thread safety". Those are just the kinds of things that are needed when writing secure software.

As these breaches continue to happen, the more I realize that we need to start rewriting all of our software to use Rust. It won't be an easy process, of course. Nothing worth doing ever is easy! But once we do rewrite all of our software using a language that's as safe as Rust then we'll all be a lot better off.

If we eliminate software flaws as the main source of security problems, then we can focus more energy on tackling other non-software security problems, like social engineering and faulty hardware.

When software security is the problem, then I think that the Rust programming language is the answer.

Re:Was Rust being used? Probably not!

One of the common themes in all of the security breaches and software security bugs that we've encountered lately is that an intelligent programmer isn't being used.

As these breaches continue to happen, the more I realize that we need to start rewriting all of our software to use an intelligent programmer. It won't be an easy process, of course. Nothing worth doing ever is easy! But once we do rewrite all of our software using a person that's as safe as an intelligent programmer then we'll all be a lot better off.

If we eliminate dumb programmers as the main source of security problems, then we can focus more energy on tackling other non-software security problems, like social engineering and faulty hardware.

When software security is the problem, then I think that the Rust programming language is the answer.

Re:Was Rust being used? Probably not!

[xxxJonBoyxxx]

AFAIK, password hashing isn't built into Rust; you have to bolt on the necessary security from a third party.

In Rust, the default "hash" function (std::hash - https://doc.rust-lang.org/std/hash/) uses SipHash 2-4, which isn't cryptographically secure (http://crypto.stackexchange.com/questions/17996/is-siphash-cryptographically-secure). Developers need to use a third party "crate" like pwhash (https://users.rust-lang.org/t/pwhash-a-password-hashing-verification-library/4581) to get some decent hashing algorithms in their Rust app, and even then, Rust developers still need to be smart enough not to pick one of the insecure options. (Fortunately, the pwhash doc is pretty good.)

Re:Was Rust being used? Probably not!

It's not that the programmers are unintelligent, it's that they don't understand or know about security. Worse yet, they might think they do know a lot about security. I've been in the automotive industry for a decade, and I did write some crypto-using code for a secure update and configuration channel when I was a young guy. But, the key interface was designed AND implemented by a more senior engineer, and he reviewed my code as well. I wrote tests for his part. Now, I know enough about security to be scared, but in those days, I was just cocky enough that I shouldn't have been allowed to write the crypto interface code (the crypto library was purchased as a library). I wasn't dumb, just ignorant. Security is hard to get right, and testing doesn't work the same as functional testing. The simple fact is that any networked software (which is pretty much all software anymore) needs at least one seasoned and trained engineer tasked with ownership of the security aspects. And, standard best practices like risk assessments, external pen testing and vulnerability tracking should be incorporated into the development lifecycle. I would argue that the problem is anything but dumb programmers. The problem is excellent programmers who write great functional code, but don't understand the subtly of systems security. Same with architects even.

Re:Was Rust being used? Probably not!

One of the common themes in reality is that the Rust programming language isn't being used. And it never will be.

FTFY

Re:Was Rust being used? Probably not!

Was someone triggered by the idea of secure hashing built in to the language?

Re:Was Rust being used? Probably not!

Rust is secure because no one is both stupid and popular enough to create a program that will see widespread use with it. It's the same reason Haskell has no side effects: someone would need to run the application first.

Re:Was Rust being used? Probably not!

Java supports PWKBF2 out of the box, but it's use is not entirely straightforward. I would imagine that other platforms with similar standard libraries (.NET?) probably have the same support... and the same problem. It's still only something like 5-10 lines of code, but ain't nobody got time fo dat.

Everybody uses MD5 because there is a simple function called md5() (or, in Java, the MessageDigest class which supports most of the well-known hashing functions), but no salting or iterations or anything like that.

If PBKDF2 were as easy to use as MD5 (or other hashes), I think people would use them more frequently.

As always...

[EmeraldBot]

As always, make sure you check haveibeenpwned to see if you're affected. For those who are, please be absolutely sure to change your passwords as md5 isn't secure anymore. If that's a huge hassle, then you've been reusing the same password - a big no-no, take this opportunity to use multiple. Not only will it make your life much more secure, but it makes situations such as these much easier, and you'll be glad you did so next time.

Re:As always...

Uh Oh... results for "nobody@example.com":

"Pwned on 6 breached sites and found 3 pastes (subscribe to search sensitive breaches)"

Re:As always...

MD5 is still fine for password hashing, or at least not possible to crack without near brute-force levels. It hasn't been cracked for that purpose (yet), but its shown weaknesses in other areas.

The big problem with MD5 is that it's trivial to calculate, which makes it really really fast (a good thing back at the turn of the century), but also makes it really easy to run tens of billions of brute-force attempts per second against the hash via a $10,000 machine (usually with quad video cards using CUDA). If my source is correct, a GTX 970 can do about 10 billion MD5 hashes per second. Running on AWS, you can easily get an EC2 instance that runs 2.5 billion MD5 hashes per second.

More modern password hashing algorithms are designed to be difficult to calculate on GPUs or with FPGAs. Instead of being able to calculate a billion brute-force attempts per second on a $10,000 machine, you might only be able to check a few tens of thousands per second on that machine. That same NVIDIA GTX 970 can only do about 200k scrypt hashes per second, and if you require 1000 iterations, that drops to 2000 brute-force attempts per second.

To give an idea of the numbers for MD5, let's assume an optimistic password that has 64 bits of entropy. That's 1.84e19 possibles, divided by 10 billion hashes per second = 1.84e9 seconds or about 58 years. That sounds like a lot, but if you can scale up to 100 billion hashes per second, that's now only 5.8 years. Scale up a bit more to 1 trillion hashes per second and you're at only 0.58 years.

And most passwords don't have 64 bits of entropy, most are only 40-50 bits (if you're lucky).

Even hashes like scrypt won't hold out forever. While they are 50,000x slower then MD5, that just moves the goal post another decade or two down the road. The big win with scrypt and the more modern password hashing functions is that they allow you to specify the number of iterations, which lets you increase that count over time for new accounts, requiring more and more time (unless a shortcut is found). So instead of being 50,000x slower then MD5, if you set your iteration count to 1000, then your hashing is now 50,000,000x slower then MD5.

Re:As always...

[jeremyp]

For super accurate results, enter your user name and password into the form provided. Then the answer is guaranteed to be correct.

Those poor people.

All those autism disability checks lost.

ShG1t

people already; I'm Our ability to and personal can be like coming a piss roots anD gets on networking test. triumphs would soon a productivity

That's because Minecraft is LUDDITE software!

Modern app appers know that ONLY apps can app apps, so Minecraft was hacked because it's LUDDITE software, not an appy app app!

Apps!

Oh, look. It's the Hipster Switcharoo Fallacy.

You've committed the Hipster Switcharoo Fallacy. This logical fallacy, typically committed by hipsters, involves taking a sound, sensible argument and using it as a template when creating a new argument that's supposed to contradict the original argument. A few words are switched, and the hipster thinks he has come up with a witty rebuttal to the argument, when in reality he has only made himself look like a blithering idiot. The new argument is typically flawed in most ways.

First of all, you forgot to switch the last line of the original comment, which ends up contradicting your pathetic rebuttal attempt! By forgetting to change that line it makes it look like you're supporting the original argument.

Ignoring that obvious mistake, your argument doesn't even make any sense. Rust, by its very nature of being a damn difficult and awkward language to use, inherently drives away "dumb" programmers. The only people who can manage to figure out and use Rust are highly intelligent. You need to be well above average to understand and to use its resource ownership techniques. I mean, if you don't understand them then your code probably won't even compile. So yet again you actually proved the original argument, while pathetically trying to prove it wrong.

Your comment serves as a superb example of why hipsters should always avoid the Hipster Switcheroo Fallacy. It always ends up blowing up in your faces, and always proves the original argument to be correct!

Re:Oh, look. It's the Hipster Switcharoo Fallacy.

and always proves the original argument to be correct!

So... if I post something, and then immediately commit the "fallacy" against myself (either as an AC or under a different account), that means that whatever I said to start with magically becomes true?

Re: Oh, look. It's the Hipster Switcharoo Fallacy.

From the OP: Dude, it's a joke. Chill. I could have replaced it with "a semi-drunk Linus Torvalds" and it would be equally funny.

Lifeboat accounts hacked, not Minecraft accounts

[Krazy+Kanuck]

Per the article: "To join the community, players download the normal Pocket Edition app, connect to a Lifeboat server, and register a username with an email address and password." Its a big difference, granted some percentage of that user base was probably dumb enough to use the same password.

Re:TLDR: The stupid Lifeboat people used MD5 hashe

What gets me is that in 2016, most web management software requires you to use 3rd party solutions to properly protect passwords.We have know that encrypting, hashing and salting passwords in the DB should be done in all cases, for the past 10 years at least, but most software makes a web developer look elsewhere for the functionality.

Uh oh

[goldaryn]

There's a lots of Minecrafters bricking it right now..

That's what happens

That's what happens when a game is primarily played by children: The community websites are probably made by teenagers...

Not surprised at all

Is it just me or has anyone else noticed that it is practically impossible to download ANYTHING related to Minecraft without getting infected with malware, trojan, virus, etc etc. Whenever my kids want a new mod, I am forced to use a virtualized desktop to download the mod.