You’d think you’d hear about a hack that affects over 7 million people … unless the company chooses to “cover it up.” Thankfully that is changing thanks to security researcher Troy Hunt, via Have I Been Pwned.
Scale-wise, it's a big breach. Lifeboat is listed in Have I Been Pwned’s top 10 breaches; it currently is ranked eighth with 7,089,395 compromised accounts.
In search results, Lifeboat Network is summarized as “Join eight million others in a game changing Minecraft Pocket Edition experience.” The Pocket Edition is the mobile version of Minecraft. Once Minecraft PE is installed on a mobile device, a user connects to the Lifeboat Network and registers a username and password using a valid email address. In the words of Lifeboat, “Use a real email – You will need to use it if if [sic] you ever forget your password, so be sure it is valid. By the way, we recommend short, but difficult to guess passwords. This is not online banking.”
Of course it’s not online banking; you should pray for the safety of any poor soul using the same password for a game that they use for banking as it likely happens. The chances are much greater that many people reuse their Lifeboat password for other online sites. A prime example of that was given by Hennihenner, a self-described “casual gamer” in Germany.
Hennihenner was notified by Have I Been Pwned’s Troy Hunt to help verify if a new breach was legit. It was, and Hennihenner was spooked, worried about accounts he considers important, such as YouTube, Reddit, Twitter and Steam, because he had used the “same password since 2011.” Although he knew it was a “bad idea,” he had justified his password reuse by thinking he only used “safe websites” or thought no one would hack an account that is not connected to money. But after learning Lifeboat had been breached and his password was floating around in the cyber ether, he got to work changing all his passwords.
Why did Hennihenner not change his password after Lifeboat notified him about the breach? Because Lifeboat didn’t notify him about the breach, which occurred in January. In fact, it seems likely that Lifeboat didn’t notify any of the more than 7 million users. Instead, a Lifeboat representative told Motherboard:
When this happened [in] early January we figured the best thing for our players was to quietly force a password reset without letting the hackers know they had limited time to act. We did this over a period of some weeks. We retain no personal information (name, address, age) about our players, so none was leaked.
Hunt told Motherboard he was notified of the Lifeboat breach by an individual “actively involved in trading who’s sent me other data in the past.”
Regarding the fact that Lifeboat “tried to cover it up,” Hunt said, “Let me put the insanity of this in context: multiple people I contacted were left totally exposed with no idea that their long-held, tried-and-tested password they'd used everywhere was now in the hands of hackers.”
“Like it or not, this is what people do,” Hunt wrote. Even if developers of a new site are careful with setting up account management features, “people will use credentials that will unlock their bank account or, even worse, their email.”
The passwords, according to Hunt, had been stored with a weak MD5 hash and were not salted, meaning it was “very close to useless cryptographic storage.” Combine that with Lifeboat not alerting users to the breach, and Hunt said, “I'm not sure that I've seen such a blatant disregard for personal account information before. It's no wonder I'm kept so busy these days!”
In defense of not notifying its users of the breach, another Lifeboat spokesperson told Motherboard, “We have not received any reports of anyone being damaged by this.”
If a user had no clue their data was in the hands of bad actors thanks to the site being hacked, then there would be no reason for anyone to contact Lifeboat with a damaging report. Now that the hack is hitting the news, I guess we’ll see if that holds true.