Lifeboat, a service that runs custom servers for the Minecraft Pocket Edition, has suffered a data breach affecting seven million accounts.
Discovered in January – yes, January – the data breach affected the users’ email addresses and usernames. Security researcher and creator of the ever-useful site haveibeenpwned.com Troy Hunt was handed the information by someone involved in trading data.
When questioned about the breach, Lifeboat said “When this happened [in] early January we figured the best thing for our players was to quietly force a password reset without letting the hackers know they had limited time to act. […] We did this over a period of some weeks. We retain no personal information (name, address, age) about our players, so none was leaked.”
“We have not received any reports of anyone being damaged by this”.
However, Motherboard questioned a few affected members who stated that they hadn’t received password resets.
Poor password security
On top of the poor communication from Lifeboat to their members, Hunt also found that passwords were encrypted by the notoriously weak MD5 algorithm.
“I was able to easily verify people’s passwords with them simply by Googling them, such is the joy of unsalted MD5,” said Hunt in an email to Motherboard.