14 DAY TRIAL // It appears that details of over seven million Minecraft gamers were being sold on the Dark Web, Troy Hunt security researcher has revealed today on Twitter.
The data belonged to users of the Lifeboat Minecraft community and included user details such as usernames, email addresses, and MD5-hashed passwords.
Lifeboat is a small company that runs a Minecraft server for the game's Pocket Edition (mobile version) and has a devout following, offering multiple game types that make Minecraft more fun to play than usual, such as Capture the Flag, Bounty Hunter, Skywars, Spleef, or Fleet.
Data breach took place in January
Because the game is free to play and requires minimal information on sign-up, no financial information was included in the leak, which appears to have happened in January 2016.
Mr. Hunt says that he received the data from a source in the data trading underground community, who had also provided him with other leaks in the past.
In order to validate the data's authenticity, Mr. Hunt sought the help of Vice reporter Joseph Cox, who managed to confirm that it belonged to Lifeboat users.
Lifeboat didn't tell users about the incident
The two contacted Lifeboat's administrators, who acknowledged the incident and said they triggered a "silent password reset" for all user accounts.
Mr. Cox stated that the users that he contacted did not receive such a password reset notification when accessing their accounts or the game in the past three months.
Even if not containing any financial information, the data breach is extremely dangerous because Lifeboat administrators used MD5 to protect the password strings in their database. MD5 hashes are extremely easy to crack, and hackers don't even need complex software, with many online websites offering to break them for you.
The Lifeboat leak is so massive in regards to the number of affected users that it managed to land on haveibeenpwned.com's Top 10 at the number eight position.
New breach: In Jan, the Minecraft community "Lifeboat" had 7M accounts exposed. 6% were already in @haveibeenpwned https://t.co/LGaAniJH32 — Have I been pwned? (@haveibeenpwned) April 26, 2016
Passwords were also all MD5 with no salt either so very close to useless cryptographic storage — Troy Hunt (@troyhunt) April 26, 2016