Tens of thousands of Minecraft fan site accounts have been leaked according to Australian security researcher, Troy Hunt.
The 71,000 elementsof account details and IP addresses were taken from Minecraft World Map, a popular fan site for sharing worlds created through the game.
Minecraft is not only an immensely popular game, with nearly a million people playing at any one time, but it retains a notoriously passionate fan community, in part because the game allows players to create just about anything they want.
Stolen data included usernames, emails and IP addresses along with passwords that were were salted and hashed.
According to Hunt, over half of them were already on haveibeenpwned.com since shortly after Minecraft World Map was breached in January 2016.
Hunt announced the dump through his site's Twitter page on Sunday.
Hunt has made a name for himself with variousrevelations including hacking a Nissan Leaf from across the world and being one of the first researchers to get a look at the dumped data from the VTech hack. Hunt has also created a repository for the data he receives from leaks, allowing people to check if their information has been stolen through many of the major breaches of the last few years.
Data is so often the bread and butter of hackers; it's how they make their money, so why just dump it for free and destroy its value? Hunt offered some insight to SCMagazineUK.com: “ It's not always easy to monetise breached data, particularly when it's a very small volume and for a pretty low value site. Many people just hoard the data and redistribute it between other traders.”
Hunt doesn't think there's anything specific about gaming communities that makes them particularly vulnerable; we've seen spates of breaches in other verticals too a lot of the time; he says, “it's due to known vulnerabilities in forum products that just simply haven't been maintained by the administrators.”
Chris Boyd, malware intelligence analyst at Malwarebytes told SC that the game's
popularity with children makes this case particularly pressing:
"Many parents will use their own email address for registration, and combine it with a weak, easy-to-remember password so the child can login with no fuss. In a worst case scenario, you could end up with a website storing credentials insecurely, a weak password which is also used for the parent's email account, and reuse across multiple sites. In that situation, it isn't just the child's account at risk - it's any number of services used by the parents.”
Brian Chappell, director of technical services at Beyondtrust said he doesn't believe there's anything unique to gamers that might make them vulnerable, but there might be to enthusiasts of specific hobbies.
He told SC: “I don't believe gamers are any worse or better than anyone else on the internet at managing their passwords. Web sites that are focused on specific activities are always going to present appealing targets to hackers as it's a concentrated collection of users with a clearly defined area of interest. Whether that's gamers, dog lovers or chartered accountants, it's likely there is a substantial list of users and with general password practice there will be a lot of account details that are reusable on other related or even unrelated sites.”
Stephen Armstrong, managing director at Logically Secure added some insight for SC: “Most account compromises don't happen on the big networks (Xbox/PSN) as these are well protected and closely monitored. What are compromised are fan sites and forums and that is for good reason. The problem is that gamers like to hangout on social sites to mix with their fellow gamers to exchange tips and plan strategies or campaigns”.However, added Armstrong “they tend to use the same email address and password combo for the forums and fan sites as they do their main online gaming accounts – so a compromise of a buggy/out of date forum can result in their online Xbox or PSN being hijacked and raided of all good games and in-game currency and assets. There is a substantial active market for in-game assets that returns real world currency with few no questions as to where the gear came from”