Hackers are reported to have stolen login details of over seven million members of Lifeboat, the Minecraft site that provides players with the option of running servers for playing customised and varied versions of the game on the smartphone edition. The data is now believed to be on sale on the dark web. Lifeboat confirmed that it was aware of the data breach but chose not to inform those affected.
The data breach included information about gamers' email and passwords. Minecraft was actually hacked in early 2015 but information about the breach has emerged only now, thanks to security researcher Troy Hunt, who has a list of Lifeboat members' stolen credentials, as reported by the BBC.
A spokesperson for Lifeboat said: "When this happened [in] early January we figured the best thing for our players was to quietly force a password reset without letting the hackers know they had limited time to act. We did this over a period of some weeks. We retain no personal information (name, address, age) about our players, so none was leaked. We have not received any reports of anyone being damaged by this."
Lifeboat passwords were understood to have been weakly hashed using an MD5 algorithm. According to Hunt, this essentially allowed anyone to discover and verify people's passwords simply by Googling it. Lifeboat requested gamers to reset their passwords after they uncovered the breach. However, they choose not to alert the users about the hack, in efforts to keep the hackers in the dark. They may have feared that alerting the public would also simultaneously alert the hackers pushing them to act in haste and steal all the data.
Lifeboat maintains that the data breach caused minimal damage since they are yet to receive reports from anyone affected by the hack.