Lifeboat Networks, a developer of games on Minecraft, has confirmed that it has suffered a security breach. In a press release it said: “We regret to inform you that the contents of our account database was leaked to the internet. We take this seriously, and apologize for this breach of trust. Leaked information included usernames, weakly encrypted lifeboat account passwords, and emails. It did not include any personal information such as real names or addresses.”
The breach first occurred in late February and users were initially prompted to change their passwords. Users were not told why they were being prompted and Lifeboat has not disclosed how many users bothered to change their passwords. According to ethical hacking site Digital Munition Lifeboat admitted that: “…it was aware of the attack but it preferred not to disclose it to the users.” The net result is that for the last two months hackers have been able to try username/password combinations on other gaming and social media sites to see how many users reused their credentials.
While it is often hard to see a positive from any security attack, there is one here. Lifeboat has said that it will be switching its accounts to the Microsoft Xbox Live service. This won’t happen overnight as it requires a fair amount of integration work. Some of that appears to have already been underway judging by the press release.
Lifeboat has not yet said whether the passwords were encrypted or how strong the encryption is. According to a number of sites Lifeboat had used a simple hashing algorithm to protect the data. The problem is that tools to decrypt simple hashing techniques are already freely available to hackers. This means that passwords would have been quickly decoded and sold on.
The arrival of GDPR will force companies to change policies
Matt Middleton-Leal, regional director of UK and Ireland at CyberArk commented: “The new data protection legislation from the EU will mean there is no hiding place once breaches are discovered, so companies will have to face up to the reality of having to explain, immediately, what data has been compromised and what user details have been leaked. This situation serves to underline a truth that all companies face – hackers are likely inside their defences already. The key to dealing with this reality is to recognise this and to limit the data that they can get to once inside. It is much better to have to admit to losing a few pennies from your pocket rather than the keys to your house.”
Middleton-Leal is not the only one who believes that the GDPR will force a shake up in the way that companies deal with security and password. Phil Dunkelberger, CEO of Nok Nok Labs commented that are worries about: “the secretive approach that Lifeboat seems to have taken in response to this breach, quietly forcing a password reset rather than notifying its users of the breach. With the impending European General Data Protection Regulation (GDPR) mandating strict notification windows and harsher penalties for non-compliance, Lifeboat will need to seriously examine its breach response and notification policies as a failure such as this could have very costly repercussions indeed.”
Biometric security or multi-factor authentication?
Dunkelberger certainly seems to think so saying: ” Too many companies continue to rely on outdated and insecure usernames and passwords, and as we become increasingly lax about defending those credentials, we have a perfect storm for data loss. Biometric authentication is quickly becoming the method of choice to prove we are who we say we are online – and a compelling way to step beyond the security pitfalls of traditional password-based logins. As authentication through fingerprints, face, eye, voice recognition and so forth is considerably easier in practice, and as advances in technology make this a feasible reality, more organisations should be looking to these technologies to keep users safe.”
Dunkelberger is not the only vendor spokesperson calling for the industry to scrap passwords for biometric security. The problem is that there is no valid comparison of strong passwords versus biometric security. Biometric security has had its own problems with early versions being poor and easily defeated. The difference between that and password decryption is that biometrics tend to be defeated device by device rather than decrypted enmass as happens with passwords.
There are also challenges when biometric security fails. In the UK, the Border Agency is currently replacing many of its existing biometric passport readers. One of the reasons is that are slow and have been suffering increasing numbers of failures. Typical of those failures is that the original software was unable to cope with men growing beards or significant changes in hairstyles. This was caused by the way the initial biometrics were created for the passports and the fact that the software was using simple facial recognition rather than complex biometric recognition.
Mobile phone vendors have also had to introduce the fall back to a password on devices. On a rainy day users can find that their fingerprints don’t work when their hands are wet. Again this is due to the use of low-end components that cannot deal with fingerprints that are cold or wet.
The solution would seem to be the use of multi-factor authentication rather than rely on just passwords or, in the case of Dunkelberger, biometrics. This is already being implemented by an increasing number of business websites with a number of banks trialling it for online banking. The success of those banking trials could lead to a major adoption across online businesses but only if it can be done at a low cost.
For example, combining a fingerprint reader with some form of passphrase or code to a mobile phone will mean someone picking up the cost for the fingerprint reader. Using a password and then a texted code will not incur much in the way of cost and is more likely to be the future. There are other solutions such as mobile apps that generate one-time codes that can be used. This will still result in costs for the online business as they integrate the code for the security solution but it will be a one off cost rather than sending devices to customers.
This is not the first time a Minecraft service has been hacked. Back in January Minecraft developer Mojang admitted that over 1,800 accounts had been stolen. That attack was not put down to a security breach, instead the user credentials were stolen using a phishing attack. Microsoft, who now owns Mojang, reset all user accounts as soon as it became clear that they had been compromised.
Gaming services are seen as a lucrative target by hackers. Most gamers link their accounts to social media and a lot of them reuse their credentials across multiple services. This means that gain access to a gaming account and there is a wealth of other data to be grabbed.
Users need to be better educated by gaming services to change their passwords regularly and to use strong passwords to protect their data. The use of two-factor authentication would also be a significant boost when it comes to protecting user data.