Minecraft developer Mojang not hacked, says Microsoft

Minecraft users were targeted directly to enable an online leak of personal details, not developer Mojang, says Microsoft

Minecraft users were targeted directly to enable an online leak of personal details, not developer Mojang, says parent company Microsoft.

The $2.5bn deal to acquire Mojang in September 2014 is believed to be part of Microsoft’s plans for providing content that will drive users towards its mobile platforms and Xbox games console.

Speculation about a cyber security breach at Mojang was sparked by a German media report that email addresses and passwords of more than 1,800 Minecraft players had been published on Pastebin.

Mojang’s customer database holds more than 100 million registered accounts for the PC version of Minecraft, but Microsoft has confirmed there was no breach, reports the Guardian.

This means the Minecraft player details published online were acquired in other ways, such as through email phishing attacks or spyware installed on their computers.

“We can confirm that no Mojang.net service was compromised and that normal industry procedures for dealing with situations like this were put in place to reset passwords for the small number of affected accounts,” Microsoft said in a statement.

“When we discover lists of gamertags, usernames and passwords posted online, we take immediate action to protect our customers by reviewing for valid credentials and resetting account access when necessary.”

Minecraft is lucrative hacker target

Minecraft is a likely target for hackers because of its database of users. The game has more than 100 million PC users, 30 million mobile users, and tens of millions of players on consoles.

Security consultants said the leak of Minecraft players’ details highlights why it is important to use a different password for every online account.

Independent security analyst Graham Cluley said usernames and passwords from online services are continually being published online and traded in underground forums.

He recommends that users of online services check regularly whether their credentials have been posted on the net.

“As well as Googling your own email address, you might consider using the free “Have I been pwned?” service created by computer scientist Troy Hunt, and asking to be notified if a password breach occurs,” he wrote in blog post.

Password alternatives

Harvesting of passwords by hackers and the development of increasingly powerful password-cracking capabilities has led some IT industry players to seek alternatives to password-based authentication online.

The Fido Alliance is one consortium of IT, internet and financial services firms, working together to develop specifications that define an open, scalable, interoperable set of protocols and mechanisms.

The aim is to enable suppliers to create interoperable products and services that allow a wide variety of alternative authentication mechanisms such as fingerprint readers, voice analysis, tokens and smartcards.

Abuse of administrator passwords is a key challenge to business and has recently been identified as a key element in the November 2014 cyber attack on Sony Pictures Entertainment.

A Mandiant report in February 2013 into Chinese cyber attacks against 141 organisations around the world showed that 90% involved the takeover of privileged accounts.

A November 2014 report that collated input from across the cyber security and forensics industry also revealed that privileged account abuse is common to all targeted cyber attacks.

In the absence of any mature alternatives to passwords, many security consultants are advising the use of two-factor authentication as an interim step to safeguard sensitive data.

Read more on Privacy and data protection