Mojang Reveals How Minecraft Passwords Were Stolen

[exfileme]

This is how hackers acquired the usernames and passwords of 1,800 Minecraft gamers.

Mojang Reveals How Minecraft Passwords Were Stolen : Read more

 

[Morbus]

They store our passwords?

They're doing it wrong. Ever heard of hashes?

 

[canadianvice]

You could stand to read the article - it was a phishing attack.
Stupid people being duped into giving up passwords to illegitimate sites.

No pity for them.

 

[bluegman991]

Did this guy really suggest a hash over encryption?

 

[agnickolov]

Hashing is a one-way transformation - there's no way to obtain the password from the hash alone other than guessing. Therefore it's actually more secure than encrypting and storing the password. Doing both, e.g. encrypting the hashes is obviously better than either one in isolation of course. Then there's also salting that additionally improves security by pre- or appending text before hashing and/or encryption.

 

[Metheglin]

Needs to be salted otherwise too easy with rainbow tables.

 

[Kelthar]

I'm pretty sure they know how to hash passwords with a salt. The communication they put out had a low level of tech involved, getting into details of how passwords were stored/checked seemed unnecessary, at least as I see it.

But I'm pretty sure Mojang knows that they're supposed to use a hash, and a unique salt for each password.

 

[Christopher1]

You could stand to read the article - it was a phishing attack.
Stupid people being duped into giving up passwords to illegitimate sites.

No pity for them.

With all due respect, phishers are getting VERY VERY good at obfuscating the fact that you are not on the actual legitimate website of the game maker.
Sure if you look at the urlbar in your browser, you might see that instead of mojang.com it is going to steal-your-password.kr but many people just click on links in e-mails and do not bother to do that.

 

[canadianvice]

You could stand to read the article - it was a phishing attack.
Stupid people being duped into giving up passwords to illegitimate sites.

No pity for them.

With all due respect, phishers are getting VERY VERY good at obfuscating the fact that you are not on the actual legitimate website of the game maker.
Sure if you look at the urlbar in your browser, you might see that instead of mojang.com it is going to steal-your-password.kr but many people just click on links in e-mails and do not bother to do that.

Then they should be checking that. People shouldn't own what they can't use properly. The only way phishing works is because of stupid, lazy people.