Skip to main content

Mojang Reveals How Minecraft Passwords Were Stolen

Minecraft developer Mojang revealed on Wednesday how the usernames and passwords of 1,800 accounts were recently stolen. The studio reassured gamers that it wasn't hacked and instead blamed the theft on a phishing attack. Essentially, these Minecraft gamers were tricked into providing their usernames and passwords when directed to fake Mojang/Minecraft websites.

"If you haven't received an email from us, you don't need to worry. No one has gained access to the Mojang mainframe," Mojang reported. "Even if they did, we store your passwords in a super encrypted format. Honestly, you don't need to panic."

Mojang didn't go into detail about the phishing attack, but instead requested that Minecraft players use a unique password when logging into their account. That way, if Mojang does get hacked in the future, the crooks won't have access to other online accounts used by Minecraft gamers such as email and banking.

Microsoft, which purchased Mojang for $2.5 billion back in September 2014, indicated on Wednesday that there was no sign of foul play on the server side. However, the company admitted that it quickly reset the passwords of the affected Minecraft accounts after the published list of account info surfaced.

Mojang and Microsoft provided instructions on how to create a great password right here, noting that a good password should be easy to remember but difficult for hackers. Avoid using obvious phrases like a pet's name or a birthday. Passwords should also not only include a long line of numbers and letters, but at least one capital letter.

"You need to pick a really strong password, something that not even the most powerful computer can crack within a reasonable amount of time," Mojang stated.

Follow Kevin Parrish @exfileme. Follow us @tomshardware, on Facebook and on Google+.

  • Morbus
    They store our passwords?

    They're doing it wrong. Ever heard of hashes?
    Reply
  • canadianvice
    You could stand to read the article - it was a phishing attack.
    Stupid people being duped into giving up passwords to illegitimate sites.

    No pity for them.
    Reply
  • bluegman991
    Did this guy really suggest a hash over encryption?
    Reply
  • agnickolov
    Hashing is a one-way transformation - there's no way to obtain the password from the hash alone other than guessing. Therefore it's actually more secure than encrypting and storing the password. Doing both, e.g. encrypting the hashes is obviously better than either one in isolation of course. Then there's also salting that additionally improves security by pre- or appending text before hashing and/or encryption.
    Reply
  • Metheglin
    Needs to be salted otherwise too easy with rainbow tables.
    Reply
  • Kelthar
    I'm pretty sure they know how to hash passwords with a salt. The communication they put out had a low level of tech involved, getting into details of how passwords were stored/checked seemed unnecessary, at least as I see it.

    But I'm pretty sure Mojang knows that they're supposed to use a hash, and a unique salt for each password.
    Reply
  • Christopher1
    You could stand to read the article - it was a phishing attack.
    Stupid people being duped into giving up passwords to illegitimate sites.

    No pity for them.
    With all due respect, phishers are getting VERY VERY good at obfuscating the fact that you are not on the actual legitimate website of the game maker.
    Sure if you look at the urlbar in your browser, you might see that instead of mojang.com it is going to steal-your-password.kr but many people just click on links in e-mails and do not bother to do that.
    Reply
  • canadianvice
    15144222 said:
    You could stand to read the article - it was a phishing attack.
    Stupid people being duped into giving up passwords to illegitimate sites.

    No pity for them.
    With all due respect, phishers are getting VERY VERY good at obfuscating the fact that you are not on the actual legitimate website of the game maker.
    Sure if you look at the urlbar in your browser, you might see that instead of mojang.com it is going to steal-your-password.kr but many people just click on links in e-mails and do not bother to do that.

    Then they should be checking that. People shouldn't own what they can't use properly. The only way phishing works is because of stupid, lazy people.

    Reply