The Data Breaches That Weren't
Minecraft is the latest company to be wrongfully accused of losing control of customer data. The real culprit: users, themselves.
Earlier this week it looked as if the beloved Minecraft online game franchise would be the latest brand to be sullied by hackers. That, after the German website Heise reported on Monday that some 1,800 Minecraft accounts were compromised, with user names and passwords posted on the information sharing site Pastebin.
But – in a pattern that is becoming more common – those reports have turned out to be only part true. While the Minecraft accounts were stolen, it appears that they were taken directly from Minecraft users, rather than from Microsoft, which owns the 100 million user-strong Minecraft franchise.
In a statement to The Guardian on Wednesday, Microsoft confirmed that its servers were not breached nor were the services on mojang.net, which runs Minecraft, compromised in any way. The company said it reset the passwords associated with the 1,800 leaked accounts – many of which belonged to users in Germany. However, those looking for the source of the leak were encouraged to look elsewhere.
Microsoft and Minecraft aren’t the only companies to be accused – falsely – of bungling security. In September, it was Apple Computer that found itself on the receiving end of unsubstantiated accusations of a breach in its iCloud service after salacious photos of high profile celebrities, including Jennifer Lawrence, appeared online. Those reports – also – were found to be inaccurate.
How did the attacks happen? In both cases, it is likely that the successful hacks were of users, themselves.
In the case of the Apple iCloud and the celebrities, attackers were highly selective: breaking into accounts by gaming password reset challenge question features that have long been known to be susceptible to attack.
It isn’t known what led to the leak of German users’ Minecraft passwords. However, the list of possible causes is long: drive by download malware at a German language news- or gaming site, malicious downloads from a Minecraft support group frequented by German speaking users, or password harvesting from bot-infected systems. If credentials were shared between sites, attackers could simply cull them from other troves of stolen e-mail and password combinations, then try them on the minecraft site to see if they work. Access to the user name and password of Minecraft users would allow the criminals to obtain a free copy of the $27 game – so there was an incentive.
As accustomed as we are to hearing of sophisticated attacks against organizations – from Target to Sony – it is often the case that “carbon based systems” – users and employees – are the weak link in the security chain, rather than application “zero day” vulnerabilities or other overt methods.
User training can help – a bit. It’s also important to secure user credentials with second factors – a one time password or some other token – to prevent account hijack. And users need to break the habit of reusing credentials between different web sites and online services, so that a breach at one online property doesn’t as easily spill over to affect others as well.
Online providers can help with this a bit – discouraging the use of email addresses as user names, and enforcing strong password selection to make brute force attacks harder to pull off. As it stands, however, few sites do so – with most erring on the side of ‘ease of use’ over security and privacy. Given the size and regularity of data breaches, however, that may soon change.