Risk Assessments/Management, Data Security, Breach, Security Architecture, Endpoint/Device Security, Endpoint/Device Security, Network Security, Threat Management, Threat Management, Endpoint/Device Security, Endpoint/Device Security, Endpoint/Device Security

Over 7M Minecraft mobile credentials exposed after Lifeboat data breach

Lifeboat Network has sprung a leak.

A division of Hydreon Corporation, Lifeboat runs servers for Minecraft Pocket Edition—the smartphone version of the immensely popular video game Minecraft. According to security researcher Troy Hunt, who maintains a database of compromised user credentials, accessible via his Have I Been Pwned? website, Lifeboat's network was hacked in January 2016, resulting in a data breach exposing the mobile game's seven million-plus user base.

Hunt, also a Microsoft regional director, publicly exposed the data leak yesterday on Twitter, noting that at the time, six percent of Lifeboat gamers' credentials were already on his database.

In a subsequent interview with Motherboard, Hunt accused Lifeboat of failing to notify its customers of the incident. Moreover, passwords accessed in the breach also hashed with a weak MD5 algorithm, making them susceptible to cracking.

Just today, Lifeboat issued a security update acknowledging the breach, noting that leaked information included usernames, “weakly encrypted passwords” and emails, but not personal information such as real names or addresses.

In its statement, Lifeboat explained that upon learning of the breach, it chose to be discreet, forcing customers to reset their passwords without explaining why. “We did not learn of the breach until late February. At that time we prompted you to choose a new password in-game," the statement read. "The password that you chose is encrypted using much stronger algorithms, and we've taken steps to better guard the data.”

In the Motherboard article, several Minecraft Pocket Edition players said they never received a password reset.

"I'm glad to finally see a statement from them, although I feel it makes some dangerous assumptions about the risks they consciously left people exposed to," Hunt told SCMagazine.com via email. "By only prompting a reset in-game, people never learned of the risks to their other accounts where they'd reused credentials. To suggest they don't know of anyone having had their email or other services hacked as a result is ludicrous; how would they know when nobody had any reason to point the finger at Lifeboat?"

Bradley Barth

As director of community content at CyberRisk Alliance, Bradley Barth develops content for SC Media online conferences and events, as well as video/multimedia projects. For nearly six years, he wrote and reported for SC Media as deputy editor and, before that, senior reporter. He was previously a program executive with the tech-focused PR firm Voxus. Past journalistic experience includes stints as business editor at Executive Technology, a staff writer at New York Sportscene and a freelance journalist covering travel and entertainment. In his spare time, Bradley also writes screenplays.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.