Leaked Minecraft usernames and passwords – a storm in a security teacup?


If you enjoy reading up on what’s new in computer security as you sup on your first coffee of the day you’ll have noticed that the outrageously popular online game Minecraft is in the news.

The blocky online building environment is attracting press because about 1800 Minecraft credentials (worth about $27 USD each) have been leaked on Pastebin.

The story began on the German language site Heise before it was picked up by The Guardian and did the round of security commentators.

Details on the apparent leak are non-existent – we don’t know if the credentials are new or old, how they were acquired or by whom. Meanwhile Minecraft’s creator, Mojang, appears to have nothing to say on the matter.

I suspect I know why.

The fact is that leaked credentials for websites and online games appear on the web every day – in fact it’s so common that there are entire websites devoted to sharing them. We almost never know if they’re old or new, how they were acquired or by whom.

By some standards, 1800 credentials is a lot – after all, it represents 1800 victims and a retail value of $46,000 USD, neither of which can be sniffed at – but as data leaks go it’s depressingly small fry.

Of course, what people are really worried about is that this small leak might be part of a much larger cache of credentials stolen in an Adobe-style break-in of the Minecraft network.

We have no evidence that a break-in has occurred and no evidence that a break-in hasn’t occurred – but the presence of 1800 leaked credentials on the internet represents little, if anything, new.

Users can be parted from their credentials by all manner of ugly, criminal techniques, not least malware infections and phishing, and 1800 credentials is a tiny fraction of Minecraft’s mammoth, 100 million strong user base – just 0.002%.

Given that Microsoft reported an average infection rate of 0.8% among its users in 2013 we might reasonably expect the ‘normal’ background level of stolen Minecraft credentials in circulation to be much greater than 1800.

And, of course, there is always the prospect that these credentials aren’t new.

I decided to search for some of the passwords to see if they had any kind of internet history that’s visible through Google.

Some of them didn’t, but the very first set of credentials I looked for – a gmail address and an eight character password – had actually been on quite a journey.

The pair’s earliest appearance is on a Portuguese forum entry dated 10 July 2014 – six months before they enjoyed a bit part in today’s news.

They go on to appear on more gaming forums in the following months – first on a Lithuanian language forum on 30 August 2014 and then on English language forums in October and November.

During December they turn up on a number of different blogs and leak sites, including Pastebin for the first time.

They crop up on different Pastebin pages a number of times during December and January. Then, on 19 January, they appear for the fourth time and along with 1799 others like them they become news.

Wherever I found this one set of credentials they were just one item in a list of many stolen Gmail or Minecraft credentials and the the rest of the list was not the same on every site.

Of course none of this means there hasn’t been a break-in at Minecraft but I’ll refrain from inviting you to speculate about that until something genuinely out of the ordinary happens.

What I can say is that these 1800 usernames and passwords are a timely reminder to choose a different, strong password for every website you use.

Thieves will attempt to use stolen usernames and passwords to login to accounts on popular websites like Twitter and Facebook, no matter where they came from.

If you struggle to remember all the passwords you need then you can use a password manager to help you.

And, if you’re not sure how to choose a password or why you should bother, our short straight-talking video explains:




via: sophos

Save pagePDF pageEmail pagePrint page

Leave a Reply

Your email address will not be published. Required fields are marked *