Motherboard is reporting that over 7 million user accounts belonging to the Minecraft community “Lifeboat” are for sale.
Security researcher Troy Hunt is loading the data onto his web site “Have I been Pwned?” so that people can check if there data was in hacked group.
Lifeboat runs servers for custom multiplayer editions of Minecraft Pocket Edition (for mobile users).
Motherboard reached out to several victims who said that they had not been notified by Lifeboat of the breach.
Lifeboat said that they had been aware of the breach for some time.
They said that when this happened in early January, they decided that the best thing for their players was to quietly force a password reset and not let the hackers know that they had a limited time to act.
I am not aware of any state data breach law or any clause in the FTC Act that says that if a company is breached and they “quietly force a password reset”, they do not have to let the victims know that their data was compromised. I do not know if the FTC is now looking at this, but I would not advise clients to use this solution in the face of a breach.
To make matters worse, the users that Motherboard spoke to said that they had not received a password reset.
The good news, if there is any, is that the amount of information that the company keeps on users is low, but there is a dark side, still.
Lifeboat used the MD5 hash algorithm to hash their passwords. MD5 is considered very weak, so that hash does not offer much protection. If the password was reused on other sites, then the user could be at risk of additional compromise beyond the data that was taken from Lifeboat.
When asked why they did not tell users, Lifeboat did not respond.
Just another reason not to reuse passwords.
While researching the Minecraft breach, I came across an article on an even bigger breach – the app 17, which is, apparently, popular in Asia. The hackers claim to be selling 30 million identities.
Motherboard says that when the company raised Series A funding last year, they said the app had been downloaded 6 million times and the Google play store says it has been downloaded between 500,000 and a million times, so there could be a gap in the numbers, but the numbers are still possibly accurate.
17 Media first said that it didn’t look like a data set of theirs, but later said they were buying the data from the hacker. Whether they could even buy exclusive rights at all is unknown, but the hacker had already sold it to other people according to the site where it was for sale.
So, these two breaches represent close to 40 million users. The good news is that it doesn’t seem to contain any credit card data, but if the passwords are reused elsewhere, then all bets are off.
Information for Lifeboat came from Motherboard.
Information on the app17 also came from Motherboard.