SEVEN MILLION Minecraft Accounts Hacked

Gavin Phillips 02-05-2016

This is a short tale of blocks, broken trust, compromised accounts, cover-ups, and one of the most popular Minecraft community sites. The accounts of more than 7 million members of Lifeboat were compromised earlier in the year, and the data has reportedly been sold to the highest bidders on the Dark Net.


7 Million Users!

The massive breach was discovered in January Keep Up With The Latest Data Leaks - Follow These 5 Services & Feeds Read More by Troy Hunt, the security researcher behind the Have I been pwned? breach notification site. He received a tip off concerning the data from someone actively engaged in the trade of hacked login credentials, and had received other data from the individual in the past.

“The data was provided to me by someone actively involved in trading who’s sent me other data in the past”

His discovery exposed the lackadaisical security in place at Lifeboat, and the equally lackadaisical sequence of events that followed the breach.

Lifeboat runs servers for custom Minecraft Pocket Edition environments Should You Get the Minecraft Windows 10 Edition? If you bought Minecraft in the past, you can get the Windows 10 edition for free. Otherwise, you could use a 90 minute free trial. Meanwhile, see how we liked Minecraft on Windows 10. Read More . It allows players using the mobile version of the extremely popular voxel-builder The 10 Best Base Building Games and Kingdom Building Games Here are the best base building games and kingdom building games you can play right now. Read More to participate in the various multiplayer modes, such as Capture the Flag, or Survival. Lifeboat users connect to a community server, registering their desired username with an email address and password. Pretty standard stuff.

Unbeknownst to the users, Lifeboat then hashed the passwords with the now infamously weak MD5 algorithm, meaning the passwords would have been easy to crack using basic (and easily available) tools.


Following the Leak

When a company experiences a data breach involving the personal details of its users, the common course of action is to inform them Why Companies Keeping Breaches a Secret Could be a Good Thing With so much information online, we all worry about potential security breaches. But these breaches could be kept secret in the USA in order to protect you. It sounds crazy, so what's going on? Read More . Letting the users know their private email address and password for their account has unfortunately been acquired by a potentially malicious entity. It seems quite reasonable.

Lifeboat neglected to do this seemingly basic task, instead deciding that as the breached data contained no financial information, triggering a silent site-wide password reset would likely suffice. Even then, the security flaw story continues, with Lifeboat advising their users to create short passwords – literally the opposite of widely accepted password generation practice 7 Password Mistakes That Will Likely Get You Hacked The worst passwords of 2015 have been released, and they're quite worrying. But they show that it's absolutely critical to strengthen your weak passwords, with just a few simple tweaks. Read More .

“By the way, we recommend short, but difficult to guess passwords. This is not online banking.”

However, despite Lifeboat’s claims of a site-wide password reset, many users contacted in relation to the breach responded negatively, saying that they did not receive any such reset email, or a notification when entering the game or connecting to a Lifeboat server.

“It’s bad that they were breached in the first place, but not telling us about it is even worse”

What Went Wrong?

The Lifeboat data breach reads like a list of what not to do in the event of an emergency. The breach itself has immediately placed at #7 in the Have I been pwned top 10.


Have I Been Pwned Top 10 Data Breaches April 2016

It is the systematic failings that have attracted such attention. Not only were the email address and passwords breached, but users were actively encouraged to weaken their own chance at ensuring personal data security by an ill-advised password recommendation. Then to really top it off, Lifeboat had hashed the passwords using an easily breakable encryption method.


If Lifeboat had chosen the opposite advice – use longer passwords featuring a combination of letters, numbers, and symbols – the data would have been much less attractive for those data traders. Consider this: a password containing six alphanumeric characters is limited to just 626 (26 lowercase, 26 uppercase, numbers 0-9). Even using basic online tools, security researchers or malicious parties will have that password cracked in weeks. Offline tools, using a powerful computer, it’ll be cracked in seconds.

Compounding the terrible password advice was their own poor security housekeeping. Lifeboat opted for unsalted MD5 hashes to obscure the plaintext passwords. While offering a base level of protection, MD5 was designed to offer extremely fast, resource-light encryption How Does Encryption Work, and Is It Really Safe? Read More . At its genesis, these qualities made MD5 a pretty handy tool. Most retail computers simply didn’t have enough power to crack the encryption.


However, times change, and our home computers are vastly superior to those developed just a decade ago, drastically undermining the effectiveness of anything hashed using MD5.

Unsalted Passwords

And just to rub salt in the wound, Lifeboat made a final blunder. The MD5 hashes protecting the passwords were unsalted What All This MD5 Hash Stuff Actually Means [Technology Explained] Here's a full run-down of MD5, hashing and a small overview of computers and cryptography. Read More . This means the plaintext passwords weren’t combined with a unique value for each user account, making the cracking and matching process that much easier.

Salting basically ensures each individually hashed password is entirely unique, even if they contain identical characters. Anyone wishing to view the passwords would have to crack each hash individually.

Safe to Return?

Lifeboat haven’t issued too many statements concerning the breach. Their stance, I believe, remains that while the data breach is reprehensible, as they do not hold any additional personal information or financial information, the damage should be relatively limited. Lifeboat has also confirmed that MD5 is no longer in use at the site, or on any of its servers.


“When this happened [in] early January we figured the best thing for our players was to quietly force a password reset without letting the hackers know they had limited time to act. We did this over a period of some weeks.”

Even if the direct damage is limited, there could be other fallout. People are generally lazy when it comes to passwords, using only a handful to protect all of their online accounts.

While the risk of a single breach exposing a number of accounts is magnified, the lesson should be clear: if you really care about the sanctity of your accounts, your private, personal data and more, use a strong, unique password for each one. So when a service is breached, you won’t become a statistic.

By the way, Lifeboat users: it is time to change all of your passwords.

Have you been affected by the Lifeboat hack? Will you trust Lifeboat again? How do you keep track of your passwords? Let us know below!

Related topics: Minecraft, Online Security, Password, Security Breach.

Affiliate Disclosure: By buying the products we recommend, you help keep the site alive. Read more.

Whatsapp Pinterest

Leave a Reply

Your email address will not be published. Required fields are marked *

  1. ben
    May 3, 2016 at 11:22 am

    Once again instant panic. Guess what. Lifeboat does not keep any financial info. They don't keep any personally identifiable info ( unless the user themselves posted it, which is against site policy) They warned users not to use the same password as any other accounts on other sites. They did a site wide password reset. I do agree that telling people to use a short easy to remember password was a mistake. But a lot of the kids on a site like this will do that anyway.

    Their mistakes were not immediately informing their users and encouraging easy to crack passwords. There was nothing for the hackers to steal from the lifeboat accounts themselves - beyond taking over and using some accounts to troll the member or site.

    Those users who did follow the policy. and then immediately changed their password are safe. Those who didn't follow policy, and then didn't change their password are vulnerable to further problems.

    #1 Do NOT use the same username/password combination on more than one site - NEVER.

    #2 when you see a site you use has been hacked - change your password immediately. Then change all other passwords on any important sites that do keep financial or personally identifiable info

    #3 Do use a long password that is not easy. However, this is a game site, not a bank or Fort Knox, write it down if you have to, but don't keep your plaintext password list on line or on your computer.

    #4 Better than keeping a written list is to get a password manager. Their are several good ones that are FREE.

    #5 Use 2 factor security when it is available.

    • Gavin Phillips
      May 3, 2016 at 12:51 pm

      Yes. The redeeming factors were the lack of financial and extensive personal information, but the plethora of other failings are clear (as I see you can see). Thank you for your login and password security list :D

  2. Anonymous
    May 3, 2016 at 5:33 am

    Up until a few years ago, I tried to use human friendly passwords. Once I had over 100 passwords, that became a waste of time. With the constant breaches, I had to keep changing them anyway.

    KeePassX to the rescue! It's a cross platform (Linux, Windows, Android) password safe. It has a password generator with lots of options and I use it now for almost all my passwords. I just have to remember its password! (And I make lots of backups of its database.)

    For sensitive files on my computer, I use kgpg (public key encryption), but I also keep any I'm not currently using on external drives which are usually sitting in storage boxes, not connected to anything.

    So, if somebody gets one of my passwords, the breach is limited to that account.

    If I lose my password safe or go somewhere without it, I lose access to everything, but that's an inconvenience I can live with knowing that it will be really hard (way more effort than it's worth) for anybody else (excluding nation states, etc.) to access my information. without my permission.

    If it costs more to access data than the data is worth, then that's about as safe as it gets.

    • Gavin Phillips
      May 3, 2016 at 12:53 pm

      It is ridiculously difficult to keep track of the myriad passwords, but using a manager as you've suggested is one of the best options. Certainly vastly superior than keeping a plaintext file on your computer.

  3. Anonymous
    May 2, 2016 at 6:33 pm

    I would like to suggest a change in the title for this article. After reading it, it's clear that no Minecraft accounts were hacked.

    The Lifeboat servers were compromised, and the Lifeboat usernames, emails, and passwords, were compromised, but the actual Minecraft user accounts are safe. I would say that makes the title completely misleading, and borderline clickbait.

    • kammak743
      May 2, 2016 at 8:35 pm

      Definitely agree with all that.

    • Gavin Phillips
      May 3, 2016 at 12:54 pm

      Normally I would try and defend the title...but I won't. Sorry.