Slashdot Mirror

← Back to Stories (view on slashdot.org)

Over 7 Million Accounts for Minecraft Community Hacked (vice.com)

Posted by msmash on from the another-day-another-hack dept.

Joseph Cox, reporting for Motherboard: Over seven million user accounts belonging to members of Minecraft community "Lifeboat" have been hacked, according to security researcher Troy Hunt. Hunt said he will upload the data to his breach notification website "Have I Been Pwned?", which allows people to check if their account is compromised, on Tuesday, and that it includes email addresses and weakly hashed passwords -- meaning that hackers could likely obtain full passwords from some of the data. "The data was provided to me by someone actively involved in trading who's sent me other data in the past," Hunt, who has verified the data and sent Motherboard a redacted screenshot of some of it, said in an email.

8 of 40 comments (clear)

  1. TLDR: The stupid Lifeboat people used MD5 hashes by xxxJonBoyxxx · · Score: 4, Informative

    As per TFA, Lifeboat used MD5 hashes for passwords. Dumbasses. Who does that in 2016 anymore?

  2. Re:Well... What can you expect from Microsoft? by Anonymous Coward · · Score: 2, Informative

    This story doesn't have anything to do with Microsoft.
    It's a 3rd party forum/service, and has nothing to do with actual Minecraft accounts.

    It also happened several months ago, the provider has been forcing resets and changed their hashing algorithm to something not completely stupid.

  3. Re:TLDR: The stupid Lifeboat people used MD5 hashe by U2xhc2hkb3QgU3Vja3M · · Score: 2

    I know, right? ROT13 is much better and ROT26 is twice as good.

  4. Re:You people deserve this by U2xhc2hkb3QgU3Vja3M · · Score: 2

    I'm sorry, is there a secret underground war between Minecraft players and Facebook users that we don't know about?

  5. Re:You people deserve this by ole_timer · · Score: 2

    facebook is a security breach, why hack it?

    --
    nothing to see here - move along
  6. Re:Was Rust being used? Probably not! by Anonymous Coward · · Score: 2, Funny

    One of the common themes in all of the security breaches and software security bugs that we've encountered lately is that an intelligent programmer isn't being used.

    As these breaches continue to happen, the more I realize that we need to start rewriting all of our software to use an intelligent programmer. It won't be an easy process, of course. Nothing worth doing ever is easy! But once we do rewrite all of our software using a person that's as safe as an intelligent programmer then we'll all be a lot better off.

    If we eliminate dumb programmers as the main source of security problems, then we can focus more energy on tackling other non-software security problems, like social engineering and faulty hardware.

    When software security is the problem, then I think that the Rust programming language is the answer.

  7. Re:Was Rust being used? Probably not! by xxxJonBoyxxx · · Score: 3, Informative

    AFAIK, password hashing isn't built into Rust; you have to bolt on the necessary security from a third party.

    In Rust, the default "hash" function (std::hash - https://doc.rust-lang.org/std/hash/) uses SipHash 2-4, which isn't cryptographically secure (http://crypto.stackexchange.com/questions/17996/is-siphash-cryptographically-secure). Developers need to use a third party "crate" like pwhash (https://users.rust-lang.org/t/pwhash-a-password-hashing-verification-library/4581) to get some decent hashing algorithms in their Rust app, and even then, Rust developers still need to be smart enough not to pick one of the insecure options. (Fortunately, the pwhash doc is pretty good.)

  8. Re:You people deserve this by khallow · · Score: 2

    Sure! I have the comic books to prove it. But I can't show you them otherwise it wouldn't be secret any more.