List of Minecraft Account Passwords Found in the Wild and Server Security Issues

Discussion in 'Bukkit News' started by EvilSeph, Mar 13, 2011.

Thread Status:
Not open for further replies.
  1. Offline


    It has recently come to our attention that a list of Minecraft usernames and passwords have been posted online and we urge everyone to read the following announcement found on
    To see if you're one of the people on the list, use this site:

    However, we still encourage everyone to change their passwords anyway.

    If you are on the list, please feel free to PM Dinnerbone with a list of 3rd party mods you use so we can figure out what mod it was (if it was any of the public ones found within the Minecraft community).

    In light of this security issue, we feel it is time to make our CraftBukkit Recommended Builds public. We've been hard at work plugging up known exploits to prevent them from more easily griefing or taking down your server with whatever knowledge we have. As such, we are moving to make our Recommended Builds for CraftBukkit more official and known ASAP. We want everyone in the Minecraft community to benefit from the exploit fixes we've made to the Minecraft server by switching to Bukkit, until Mojang has dealt with things properly themselves. While we're still in talks with Mojang about licensing and their stance on Minecraft server modding, we feel this is a more than good enough reason to release our Recommended Builds to the public.

    To download our latest Recommended Build, visit the following link:

    Please note, if you are updating to the latest Recommended Build we cannot guarantee that all the plugins you currently use will work properly so you'll have to do your own testing locally or on a test server. If you're new to Bukkit, please feel free to join our community and ask for help with moving over.
  2. Offline


    I started to laugh at how long your post was before I read it.

    Anyways, yeah it is "just minecraft" nothing in minecraft is worth getting upset over (like all video games). Unlike other more serious topics like facebook, forums, bank accounts, etc. Sure I would understand if people were posting stolen passwords like those over the internet to get upset over and inform everyone, but its minecraft. If you were that concerned with account security you would have a different password for everyone of your accounts and change it monthly.

    Also would like to point out how it takes literally 60 seconds to recover a stolen account (, so yeah..... CHILL.
  3. Offline


    If you are in the United States then you should get yourself a lawyer. It is highly illegal to deny someone housing based on their religious preference.
  4. Offline


    I actually used that o_o but, I looked and my password wasn't leaked... I also have one suspicious question: How did dinnerbone find out who got their password's leaked?
  5. Offline


    Yes, while an "alt" also refers to an alternate toon on WoW. That is not what he's talking about.
  6. Offline

    Lunar Delta

    Project Genesis has been alerted. Thank you for this.
  7. Offline


    My server is alerted. :)
    1 person was on the list! He changed his password directly! :)
  8. Offline


    cSurvival is up to data 'bout this, many Thanks!
  9. Offline


    Cheers for the notice, I was unfortunately one of the people who was on the list. Luckily nobody had gotten to my account and changed the password before me!
  10. Offline


    Hahahahahhahaha. Whatever you say.
  11. Offline


    Wow, griefer clients are written by griefers?!?

    I've seen the same thing happen in Second Life a bunch of times. There are a lot of 3rd-party clients, some of which are designed to steal content, etc. Every now and then, someone will put a packet sniffer on one of them and discover mysterious encrypted packets being sent to some server on the internet the same second the user logs in. The authors of the biggest "legit" client were found to have developed their own secret client that they could use to steal stuff out of other peoples' inventories (with full permissions) and other nasty stuff like that.

    ndm250 is right. This is going to happen repeatedly. There is no honor among thieves. If you trust someone else's client that they already precompiled, you might as well be handing them your Minecraft account and giving them permission to install keyloggers, botnet clients, and other malware on your computer.

    This is also why it's a good thing that Bukkit won't certify any plugin that's closed source.
  12. Offline


    I actually considered doing this (yes i am us based) however came to the realization that i wouldnt want to rent from a bunch of religious bigots who are pissed at me anyway because i had to take them to court over what had happened. I kindly mentioned this to them, and told them that i hoped their god was as kind as they were :)

    Honestly, i have separate passwords for every account, and change them every 90-150 days, they do not contain any acronyms or dictionary words, and are at least 14 characters long (where possible). My point is people are not as concerned with account security as they should be, and people don't expect their passwords to be leaked (ie this minecraft leak) so they reuse the same password for much more sensitive stuff... ie bank accounts. just because your account is secure and you have a clue how to maintain an online presence doesn't mean everyone else here does....
  13. Offline


    i changed my password thanks
  14. Offline


    It should go without saying but...
    No matter what you make your password, be it 12345 or D#p9Qæ~s&5V dont use the same password for your financial websites as you use for anything else.
  15. Offline


    Alright guys time to point some obvious stuff out.

    The only accounts that team Avocado had are from that time they asked for alt accounts. Thus, the only people whose accounts are compromised are those that support griefers. In other words, no problems.

    In fact I'd suggest releasing the list of names so that people can preemptively ban them, basically meaning that avo will be powerless.
  16. Offline


    I hacked together a quick script to test the whitelist on our server. I'm posting it here in case anyone else would like to check all their users at once.

    while read line; do
      wget -q$line -O - |head -1| perl -p -i -e 's#(.*)(<br /><br /><h2>)(.*)#\1#'
    done < whitelist.txt
  17. Offline


    Easy to get your account back, since MC doesn't allow email changes in profiles yet.
  18. Offline


    That makes about as much sense as having someone euthanized for having a minor infection. While it's pretty much a given that AVO get their accounts through their supporters it's also fair to guess that many of those accounts will enter multiple ban lists on their own accord.

    Currently, I don't believe anyone here actually knows where this particular leaked list originated from so jumping to conclusions is a bit pointless. And I'd suspect it would most likely stem from people foolish enough to download old clients from untrusted or unverified parties where the client was rigged to steal logins.

    Rather than jump to sinister conclusions and scarlet letter those who've been affected, it would be best to clue them in on what's happened with some possible ways of how it happened and give them a way to remedy the problem. Banning them across multiple servers with little reason or wild assumptions isn't exactly helpful and will only confuse some of those players further. It may also be possible that some of those players may never figure out what's happened if they only play in single-player mode so some type of auto-check by Mojang would be more useful in cases like this.
  19. Offline


    MCCHEAT It Phished Attacked Me And Stole Some Accounts
  20. Offline


    *sigh* Where's a facepalm emoticon when you need one? Firstly, of COURSE reddit/McBans are going to blame Team aVo for every little thing that goes wrong now. Heck, I'm sure the slightest little bit of server lag is going to have them screaming "aVo is ddosing us!" even when it's just normal server lag.

    Secondly, as pointed out, "alt" means "alternative account". Basically, someone has put out a list of all the alternative accounts that aVo use. So rather than jumping to conclusions, please apply a little common sense. -_-

    And honestly, if the list turns out to be people who support Team aVo and/or griefers, we're looking more toward someone from reddit/McBans as the culprit, not aVo.
  21. Offline


    hold on are you accusing my staff of using the list? because that is what you insinuated. Lets get this clear, MCBans staff do not get paid and spend their own time to help the community just enjoy the game without griefers. MCBans does not have access to the usernames AND passwords, that file was removed and a text file containing the usernames is all MCBans has on record.

    Another note, MCBans is affiliated to reddit as much as it is ANY other server running on MCBans. Also notice in the message avocado is not mentioned once, blame was not placed on to any single group.
  22. Offline


    I've enjoyed reading the code in some of these recent commits. It's... well, we're dealing with smart folks in the bukkit team :)

    ...Amen to that though. Really. Pseudo-magical incantations about how to make your password "stronger" are one of my greatest sources of vomiting. PanCakes is correct: the problem here is something that completely screams right past your password no matter who "strong" it may or may not be.

    I mean, people do brute force things, yes. But putting and "=" character in your password doesn't make you
    "stronger"; in fact, I'll go so far as to say that if everyone followed the exact same criteria in the OP, it would actually decrease password entropy. If you really want a concept of what does and does not impact brute forcers, go download John the Ripper, and play with it. It's worth an afternoon; you're going to learn things that cover your ass for the rest of your life.

    Personally, I have a password of the I-hit-the-keyboard-till-I'm-tired sort for every site I deal with, and I use a program called "truecrypt" to store sensitive files like the one where I right them all down. I suggest googling it if you're not familiar; it's well designed, free, and just generally brawler.

    Among the dumbest things I've ever read. I probably don't need to explain why, but... really, if your most potent argument again someone distils to "loldongs u used to many wordz", you... need to go... erm, away.
  23. Offline


    you might want to look at keyscrambler although stealers have antis and some have anti keyscrambler. the best way to not get your password stolen is when you launch your client never check remember my password because thats how stealers work. you can bruteforce but to bruteforce 1 account it could take over 3 days easly and your ip will get blacklisted after x amount of failures. The most ways people get infected is when they download the files to downgrade there client on the internet because skids sieze the opportunity to backdoor the files. Hacked client are mostly all backdoored, If you download a file under 20mb and are very suspicious i recommend uploading it to virustotal but it can happen that no anti viruses detected anything but its maybe crypted so if you run it the anti virus vendors will look at the program and check the code.
  24. Offline


    Um, yes. That is what happened. Someone from avo (or that xiodine guy, whoever that is) leaked the list of alt accounts that they use. Which is what the guy you quoted said.

    Also, this is where the alt accounts came from:
    "If you have any extra accounts that you don't plan on using on the Reddit server, we'd really appreciate it if you could PM us the information."
  25. Offline


    :confused: im safe, but playing on a server once, i literally saw a guy post his password for his accout accidently, he was trying to use /lwc -c password
    i reccomend everyone on my server to use /lwc -c private not -c password
  26. Offline


    I shall test my server's list of users against dinnerbone's website tonight. I've already tested our admins and mods and they are clean.
  27. Offline


    i was on the list but i changed my password :)
Thread Status:
Not open for further replies.

Share This Page