As security breaches go, they don’t get more vexing than this: 7 million compromised accounts that protected passwords using woefully weak unsalted MD5 hashes, and the outfit responsible, still hadn’t disclosed the hack three months after it came to light. And as if that wasn’t enough, the service recommended the use of short passwords. That’s what Motherboard reported Tuesday about Lifeboat, a service that provides custom multiplayer environments to gamers who use the Minecraft mobile app.
The data circulating online included the e-mail addresses and hashed passwords for 7 million Lifeboat accounts. The mass compromise was discovered by Troy Hunt, the security researcher behind the Have I been pwned? breach notification site. Hunt said he had acquired the data from someone actively involved in trading hacked login credentials who has provided similar data in the past.
Hunt reported that some of the plaintext passwords users had chosen were so weak that he was able to discover them simply by posting the corresponding MD5 hash into Google. As if many users’ approach to password selection weren’t lackadaisical enough, Lifeboat’s own Getting started guide recommended “short, but difficult to guess passwords” because “This is not online banking.”