In August, LeakedSoure informed Softpedia that it had received the full database and source of Leet.cc, a service for creating and running Minecraft Pocket Edition servers. According to Softpedia at the time, there were over 6 million users’ records, consisting of username, hashed password, registration date, last login date, and user ID. “For the vast majority of users, but not for all, there was also an email address associated with their account,” Cimpanu reported.
As Cimpanu also reported, there was talk that the hack had actually occurred back in February. A search of Twitter reveals that “Anthrax” had claimed responsibility for the hack and that Leet.cc was aware of it in February:
@leet_cc Did you know about this? pic.twitter.com/NPCzSfVSBg
— NerdyProductionz (@NerdyPlayZMC) February 9, 2016
Leet.cc responded that they were aware and working on it:
@NerdyPlayZMC Yes, we are testing and upgrading our security systems at the moment. You might see this often during this test period
— LEET Servers (@leet_cc) February 9, 2016
Somewhere between February and September 29, however, there appears to have been another, more limited, breach, as HaveIBeenPwned.com reported:
Leet
In August 2016, the service for creating and running Pocket Minecraft edition servers known as Leet was reported as having suffered a data breach that impacted 6 million subscribers. The incident reported by Softpedia had allegedly taken place earlier in the year, although the data set sent to HIBP was dated as recently as early September but contained only 2 million subscribers. The data included usernames, email and IP addresses and SHA512 hashes.
Compromised data: Email addresses, IP addresses, Passwords, Usernames, Website activity
On September 29, the larger (February) database was made publicly available by “Anthrax” (@anthraxiation), who tweeted:
LEET CC DB IS NOW PUBLIC mega.nz/#!QMUXEAgA
AND @PoodleCorp DB mega.nz/#!NE9zBYYD
PM me for passwords
— Anthrax (@anthraxiation) September 29, 2016
The database, a copy of which was obtained by DataBreaches.net, contains 6,085,759 records. There are 5,089,066 email addresses. DataBreaches.net did not attempt to identify or delete any duplicate records. DataBreaches.net sent inquiries to a small sample of the email addresses in the database, asking them to confirm their username/email address. Of the 10 emails, three bounced back as user unknown, and there were no responses from the others by the time of this publication.
Leet.cc’s Response to the Public Dump
As far as DataBreaches.net can determine, Leet.cc has done nothing. There’s no notice on their web site, and their Twitter account makes no mention of the dump or what, if anything, users may need to do. Neither Johan Land, the site’s registered owner, nor anyone else at leet.cc has responded to two email requests asking them to confirm the authenticity of the data.
Indeed, not only has Leet.cc not made any public statement about the dump, but when Anthrax tweeted that his data had been caught up in the breach, their Twitter account suggested he was to blame for his problems:
@AnthraxGod You must’ve used a dictionary password.
— LEET Servers ? (@leet_cc) September 30, 2016
Wow.
Leet.cc is not the only Minecraft-related service to have been hacked this year. Data from 7 million Lifeboat users was found up for sale on the dark web in April. Unlike Leet.cc, the passwords in the Lifeboat database were MD5 and not SHA512+salt. The Lifeboat hack appeared to have occurred in January. Somewhat shockingly to some, Lifeboat posted a tweet to Leet.cc that appeared to joke about the hacks. Their tweet was subsequently deleted and replaced by a redacted version, but not quickly enough, perhaps. Here’s the archived copy of the tweet.
While the Leet.cc database does not have very sensitive information, with so many young people using Leet.cc and Lifeboat and the likelihood of reusing usernames, email addresses, and passwords across sites, perhaps the Federal Trade Commission might want to look at both companies to see if they have reasonable data security. Of some concern, Leet.cc also did not respond to a question concerning a claim made by Anthrax to DataBreaches.net in an encrypted chat that leet.cc remains vulnerable to attack from a common attack method, and that anyone could acquire what he says are now 9.2 million users’ records.
How many more hacks and data dumps will it take before some regulator or state sends a strong message about data security?