Lifeboat Network has sprung a leak.
A division of Hydreon Corporation, Lifeboat runs servers for Minecraft Pocket Edition—the smartphone version of the immensely popular video game Minecraft. According to security researcher Troy Hunt, who maintains a database of compromised user credentials, accessible via his Have I Been Pwned? website, Lifeboat’s network was hacked in January 2016, resulting in a data breach exposing the mobile game’s seven million-plus user base.
Hunt, also a Microsoft regional director, publicly exposed the data leak yesterday on Twitter, noting that at the time, six percent of Lifeboat gamers’ credentials were already on his database.
In a subsequent interview with Motherboard, Hunt accused Lifeboat of failing to notify its customers of the incident. Moreover, passwords accessed in the breach also hashed with a weak MD5 algorithm, making them susceptible to cracking.
Just today, Lifeboat issued a security update acknowledging the breach, noting that leaked information included usernames, “weakly encrypted passwords” and emails, but not personal information such as real names or addresses.
In its statement, Lifeboat explained that upon learning of the breach, it chose to be discreet, forcing customers to reset their passwords without explaining why. “We did not learn of the breach until late February. At that time we prompted you to choose a new password in-game,” the statement read. “The password that you chose is encrypted using much stronger algorithms, and we’ve taken steps to better guard the data.”
In the Motherboard article, several Minecraft Pocket Edition players said they never received a password reset.
“I’m glad to finally see a statement from them, although I feel it makes some dangerous assumptions about the risks they consciously left people exposed to,” Hunt told SCMagazine.com via email. “By only prompting a reset in-game, people never learned of the risks to their other accounts where they’d reused credentials. To suggest they don’t know of anyone having had their email or other services hacked as a result is ludicrous; how would they know when nobody had any reason to point the finger at Lifeboat?”