Is Microsoft's Minecraft under attack?

The account details of around 1,800 Minecraft players have been posted online, raising fears over a bigger breach in security. The leaked credentials were posted on Pastebin, a site that's routinely used to publish details of compromised accounts.

It's not clear where the account details have come from or who is behind the breach, although most of the published account details are believed to be those of German gamers. It's entirely possible that the compromised account details were stolen during an attack on another site/service, and that users have used the same username/password combination for Minecraft. A large part of the Minecraft audience is children, who are more susceptible to phishing attacks and other techniques used to steal account details.

The stolen credentials could be used to gain unauthorised access to Minecraft players' online worlds or download a full version of the game. The game has more than 100 million registered players, so the leaking of 1,800 credentials is a drop in the blocky blue ocean, although it's possible that the attackers may only have published a small selection of the compromised accounts to prove their validity. Hackers often attempt to extort money from companies by threatening to release compromised account/password details.

Microsoft bought Minecraft last year in a shock deal worth $2.5 billion. That would naturally make the game a richer target for attackers, although there's no evidence that any Microsoft or Minecraft systems have been compromised.

"My recommendation would be that if users have any concern that their accounts might be exposed to hackers that they should change their passwords immediately," independent security expert, Graham Cluley, writes on the Hot For Security blog . "It goes without saying that they should be particularly concerned if they are using the same password anywhere else on the web."

In a statement sent to Expert Reviews, Microsoft said: "We can confirm that no Mojang.net service was compromised and that normal industry procedures for dealing with situations like this were put in place to reset passwords for the small number of affected accounts. When we discover lists of gamertags, usernames and passwords posted online, we take immediate action to protect our customers by reviewing for valid credentials and resetting account access when necessary."

Leave A Comment