The email addresses and passwords of 1,800 Minecraft users have been posted online.
According toHeise, the details were published online in plain-text format, although it remains unclear how they were obtained, reported the Guardian.
The report states that the details would allow strangers to log in to each of those user’s accounts on Minecraft to play online, and download the game to their own computers.
However, the more serious implication would be for any players who had used the same email address and password combination for other online services, from shopping and banking to email and social networking.
The game has 100 million registered accounts for its PC version alone, and was acquired by Microsoft in 2014 for $2.5 billion.
TK Keanini, CTO of Lancope, told IT Security Guru that “software is software and everything can be hacked”.
He claimed that there was a time when console game developers had a false sense of security because they were on a console but quickly learned they were wrong, and once a single person learns the hack, it spreads like wildfire on social networks to thousands forcing the vendor to urgently release an update.
“Attackers target gamers for two very attractive reasons: 1) they are accustomed to signing up to online systems and disclosing personal information and 2) they are accustom to downloading and installing software from unknown sources or without understanding the manifest,” he said. “Anytime you have to download something from an unknown source, well over 50 per cent of the time it is going to have something nasty bundled in there.
“There has been both in-game and out of game notable attacks where the entire community of gamers were affected. This includes attacks on the Playstation Network, EVE Online, and Steam. These
are highly visible and visibility is not what attackers like. They are more interested in attacking these users on a more individual basis with more attainable objectives like just getting malware installed on the PC or mobile device, or grabbing the credentials to the gaming network and monetizing the credit card information.”
Keanini claimed that in-game commerce is standard these days, and that is what makes these worlds attractive to cyber criminals, as designers of these online games with massive numbers of players have done well with their countermeasures, because they understand that the security investment is just a part of doing business. “It is the game of security and they are not playing to win, they are playing ‘not to lose’,” he said.
“While platforms and online systems change, at a high level the same weaknesses are being exploited by attackers. Anywhere a user can be fooled to disclose sensitive information or download untrusted software there will be a problem.
“The biggest change overall is the tempo of the threat as they create new forms of exploitation and attack. Online gaming in all forms change the distribution model for both the community of gamers and equally for community of criminals.”
Clinton Karr, senior security strategist at Bromium, said: “Users should be sure to also change the password on any other web sites where they might have used the same password, and should avoid such practice in future. Watch out for phishing emails appearing to come from Microsoft Xbox Live — log into the Xbox Live site directly rather than clicking on a link in an email.”
Jon French, security analyst at AppRiver, said: “As with any login out there, people should be using unique passwords and cases like this just re-enforce that. If someone uses the same password everywhere, all it takes is one leak to possibly compromise a lot of things.
“Specifically with gaming this can bring up another point. Many users, I’d say a large majority, use the same usernames online as well. With gaming as popular as it is online, you can usually google someone’s username in a game and get an idea of other games they play as well from statistic trackers and forums. So in the case of someone reusing usernames and passwords, this can be a huge impact on them by just one game getting compromised.”20
