List of Minecraft Account Passwords Found in the Wild and Server Security Issues

Discussion in 'Bukkit News' started by EvilSeph, Mar 13, 2011.

Thread Status:
Not open for further replies.
  1. Offline

    EvilSeph

    It has recently come to our attention that a list of Minecraft usernames and passwords have been posted online and we urge everyone to read the following announcement found on MCBans.com:
    To see if you're one of the people on the list, use this site:http://dinnerbone.com/minecraft.php

    However, we still encourage everyone to change their passwords anyway.

    If you are on the list, please feel free to PM Dinnerbone with a list of 3rd party mods you use so we can figure out what mod it was (if it was any of the public ones found within the Minecraft community).

    In light of this security issue, we feel it is time to make our CraftBukkit Recommended Builds public. We've been hard at work plugging up known exploits to prevent them from more easily griefing or taking down your server with whatever knowledge we have. As such, we are moving to make our Recommended Builds for CraftBukkit more official and known ASAP. We want everyone in the Minecraft community to benefit from the exploit fixes we've made to the Minecraft server by switching to Bukkit, until Mojang has dealt with things properly themselves. While we're still in talks with Mojang about licensing and their stance on Minecraft server modding, we feel this is a more than good enough reason to release our Recommended Builds to the public.

    To download our latest Recommended Build, visit the following link: http://ci.bukkit.org/job/dev-CraftBukkit/promotion/latest/Recommended/

    Please note, if you are updating to the latest Recommended Build we cannot guarantee that all the plugins you currently use will work properly so you'll have to do your own testing locally or on a test server. If you're new to Bukkit, please feel free to join our community and ask for help with moving over.
     
  2. Offline

    Kane

    Edited Message:

    I would like to add to this. Everyone including server admins should be copying and pasting this message on their forums to help spread the word.

    The next thing to do is inform your users on how important it is not to download stupid silly hacks from the internet. Almost all the malware keyloggers and crap come from this.

    In fact today maybe minutes ago someone on my server seam to have been infected by some kind of malware. It seams to insert it's self into chat conversations. I thought it was packet releated but then it would not make sense why it did not start till the person hit t button.. Notice how it's his where should be this.

    Check a look at this image:
    [​IMG]

    Now who knows if this is a Minecraft one but the best part of it was this links to a exe file that clearly is keylogger/malware.

    SO EVEN MINECRAFT players are at risk so watch CHAT. Always tell players not to download files from other players. And if you download a texture pack make sure it's just images and not class files.

    It's best to not download any client mods that are not from respectable authors who have been doing it for moths and NEVER download special modified mods from say other people in the threads and such. They might just be a trap waiting for you!
     
    DodgeWatt likes this.
  3. Offline

    Marlamin

    Thanks for patching up those griefing exploits, Bukkit team!
     
  4. Offline

    Draik02

    awesome work guys, thanks for the security update!
     
  5. Offline

    minecraftworlds

    Put this up on my website/ server website. Everyone on my server has changed their password thanks for notifying us!
     
  6. Offline

    user_2408

    Thanks for the information.
     
  7. Offline

    All4n

    Thanks!
     
  8. Offline

    ThomasJ

    Why am I not suprised :(
     
  9. Offline

    Myers Carpenter

    I think the recent work you guys have done to stop explots is great, but none of it (that I can tell) has anything to do with password stealing. If I understand the way the auth system work the server never sees the users minecraft password. So why do you start pushing Bukkit as if it's an answer to the password problem? You don't ever directly make the connection, but it seems to be implied by talking about the two in the same post.

    Or maybe I need to go read your commit log a bit closer....
     
  10. Offline

    EvilSeph

    We moved to push Recommended Builds out there more as we have fixed quite a few exploits that make it easier for people to grief (being able to free-cam anywhere without moving your character, being able to edit signs, being able to crash servers, etc).

    This is not connected to the password stealing issue, but it does relate to security of Minecraft overall.
     
  11. Offline

    ThomasJ

    Lets not forget, allow someone to login to your server (online mode) and assume someones identity if my commit log memory serves.
     
  12. Offline

    George

    I found 2 of my users that were on the list and have contacted them to change their passwords.
     
  13. Offline

    Lookatmego

    I sent out a bulk email to all my users..also all mibit chats that have anything to do with minecraft now know!
     
  14. Offline

    chopper

    When the new Launcher was introduced using the https authentication that wasn't working many of those who had deleted the old launcher scrambled to get another copy, however, I remember reading about malicious versions of the old launcher that were posted on minecraftforum.net I wonder if this is where the accounts were compromised.

    Edit: Looks like the thread I read has been deleted, but Google cached it:

    Page 1, Page 2
     
  15. Offline

    hello2u

    Checked all the accounts I knew for my servers, no one was on there.
     
  16. Offline

    Revelator

    Wonder why minecraft.net haven't even bothered posting that some of the accounts got breached and such.
     
  17. Offline

    anonymous

    Thanks for this, sending this to everyone :)
     
  18. Offline

    McLrn227

    Folks, what you're looking at is a screenshot from Team Avocado's most recent youtube video. Here, while Storm_surge is in the Reddit mumble, Warchamp sends him a message via Xfire telling him that their "Alt list" (the list of 1,000+ hacked accounts) was leaked.

    http://i.imgur.com/VKkEJ.png

    [​IMG]
     
  19. Offline

    Daniel Heppner

    The Bukkit grief protection (free-cam, edit signs, etc. except the crash server thing) should be toggleable for OPs so that I can spy and do evil things on my own server, but only on my own. Non-ops shouldn't be able to unless you explicitly say that they can.
     
  20. Offline

    ledhead900

    I spread the word to our users thanks for the notify
     
  21. Offline

    Krammeh

    You're mistaken here, if you look the other user started and stopped playing World Of Warcraft. An 'alt' is an alternative character in the same server.
     
  22. Offline

    Mentioum

    lpminecraft has been notified. Spread the word!
     
  23. Offline

    PanCakes

    why the hell do people say make a stronger password? Its a stealer who got all the passwords obviously a longer and stronger password wont change anything. Do you actually think that they bruteforce thousands of passwords and try to get the usernames password no they don't. Just dont be dumb and download minecraft hacks that are backdoored.
     
  24. Offline

    pagan0ne

    because a strong password is *ALWAYS* a good idea... and because once they have your username and a KNOWN weak password they may try to bruteforce aganst the account to recover password again. Always be suspicious.... *ALWAYS* use a STRONG password, and NEVER download or run things from an untrusted source.
     
  25. Offline

    Uniltiranyu

    well, my plugins seem to work, so im good here

    together we can stop spam
    [​IMG]
     
  26. Offline

    ndm250

    This post kinda annoys me.

    You guys do realize that minecraft accounts are pretty easy to hack. People are literally handing out free stolen minecraft accounts on forums I've been to. Nothing to get worried about. This "crisis" as mentioned is only a fraction to what really goes on. Also would like to point out that your account could be used by someone else without you knowing, lots of my friends "share" accounts with random people.

    The post should say "approximately 80,000 Minecraft account names and passwords are made freely available on the internet", just saying.

    So everyone just chill.
     
  27. Offline

    pagan0ne

    A hacked account it nothing to "chill" about, weather it be a MineCraft account, a random forum account, or otherwise. In this day and age of information if someone posts something under you account, or abuses your account in such a way as to give the account holder a bad reputation these things can come back to haunt the account holder in other aspects of life. A hacked myspace account (who uses myspace anymore anyway?) could be dangerous if someone posted information that may be considered anti-government or hinting at drug use... this could cause the account holder to be declined housing (yes this has happened to me, not hacked but declined because of "religious" content posted to a social network) declined job offers, or even losing a job in service of a government, in the same way a hacked minecraft account could come back to haunt the account holder if it became well known enough (a video of the user in-game greifing the whitehouse or making outrageous statements in chat) in a similar way. So yes, i take my account security very seriously even if it is "just a minecraft" account. This is not to mention the number of users on that list who no doubt use the same username and password for other accounts such as their email accounts, social networks, or even bank accounts..... account security is a VERY serious thing and should not be taken lightly....



    [edited for typos]
     
  28. Offline

    Jobsti

    Full ack
     
  29. Offline

    B_White

    SpongeCraft has been notified. Spread the word!
     
  30. Offline

    dark_hunter

    Glad I'm safe, checked that list.
     
Thread Status:
Not open for further replies.

Share This Page