Over 1,800 Minecraft account credentials leaked online [Update: No breach at Mojang.net]

Update: Microsoft clarified in a statement to The Guardian that none of Mojang's servers were compromised, meaning that the leaked passwords and usernames were the result of an unrelated hack.

"We can confirm that no Mojang.net service was compromised and that normal industry procedures for dealing with situations like this were put in place to reset passwords for the small number of affected accounts.""When we discover lists of gamertags, usernames and passwords posted online, we take immediate action to protect our customers by reviewing for valid credentials and resetting account access when necessary."

Microsoft's statements will no doubt reassure users concerned about the safety of their accounts.

Original story follows

A plain text file of over 1,800 Minecraft usernames and passwords has leaked online. At this stage, it is unclear as to how the details were obtained, or if the leak itself is a precursor to a much larger attack targeted at Minecraft.

The details available in the leak (which has been posted to Pastebin) allow anyone to log in to a legitimate user's account to download and install the full version of the game. More worrisome is the fact that the hack exposes the affected users to more malicious attacks if they've reused the password on other services.

According to security researcher Graham Cluley (opens in new tab):

"Quite how criminals managed to steal the credentials for so many Minecraft users isn't clear. Possibilities range from simple phishing attacks, keylogging malware stealing players' details as they log into the game, or even a security breach at Minecraft itself. (Let's hope it's not the last one – because the game has over 100 million registered users).""And although some 1800+ usernames and passwords have been published online, there's no guarantee that whoever gained access to them hasn't got a whole lot more in their back pocket which they haven't chosen to release to the rest of the world."

Source: Heise

Harish Jonnalagadda
Senior Editor - Asia

Harish Jonnalagadda is a Senior Editor overseeing Asia for Android Central, Windows Central's sister site. When not reviewing phones, he's testing PC hardware, including video cards, motherboards, gaming accessories, and keyboards.

  • Good thing I never played or had interest in that game. If I want my eyes to burn, I'll play Wolf3D or DooM in 320x240 resolution on my 22" monitor.
  • It's cute how you think this can not happen to any other game that requires a useraccount (iRacing, WoW, LoL or even steam)
  • +925 Especially considering at least three of the four have gone through the same thing
  • Only idiots would save their users' passwords as plain text, I don't know the developers of said games.
  • since there is currently no real information on how the passwords were obtained, there is no need to jump to the conclusion that mojang stores the passwords in plaintext. But if it turns out they do, that'd be bad news.   currently there's just speculation, it could be phishing, malware or something else.
  • I think graphics is the least thing Minecraft is about ;)
  • I played Minecraft (the old old old version) one time and I dug a hole but couldn't figure out how to get myself out of said hole. I saw other people walking through the blocks and wondered why I couldn't. Probably just a weird server.
  • I wouldn't call it low resolution, just pixelated textures(without the mods at least). My girlfriend play it on the PS3 at 1080 and it looks quite pretty.
  • i second that 
  • The weird thing is not the graphics, but the performance-to-graphics ratio. The game should run well on an AMIGA 1200 with a harddrive, but instead it sometimes needs an Nvidia GTX 750 card or comparable AMD chip. Really weird. It is just a lot of graphics in there but it's pixelated or something :)
  • it's the sheer ammount of blocks generated on the fly when moving to new areas and how they interact with each other.
  • Minecraft, while based on a simple logic, uses a LOT of physics block emulation, and has to have all blocks in the render queue - visibility check is not that simple ;)
  • ^^
  • I 2nd that rct looks better then this trash
  • Its an attack against microsoft
  • Perhaps this will accelerate Microsoft's inevitable plans to switch users from Minecraft accounts over to Microsoft accounts.
  • I don't want them to switch, but I do want then to allow. Switching will irritate too many.
  • Right, mandatory is never cool, hopefully they will remember this...
  • They already had people using the old Minecraft.net accounts switch to the new Mojang accounts that held billing info. Hopefully that information is safe. Most likely this hack is from people using third party mod loaders to get features like capes and other cross server functionalities.
  • Maybe this IS Microsoft's plan to get users to switch to Microsoft accounts! O.o
  • Doesn't the Xbox version use Live info?
  • Yep, it does. Time to get the others on board
  • but the xbox version (especially the 360 version) has tiny worlds. I have often hit the borders of the world on the 360, so much infact that it stopped being fun and I haven't touched the game in ages.
  • The Xbox One version of the game is much much bigger.
  • it might, I just could never get it to run on my xbox 360 ;)
  • It's Google, we must fight, prepare our army!!
  • Make sense, bro. Hahaha
  • Me and my 625 both are ready to fight against Google.
  • This is the reason why I'm not buy the game.
  • you don't play any online game do you?
  • Is this just pertaining to Minecraft for phones?
  • my guess it's actually pertaining to the PC Version of the game. The console versions use the approriate console service (PSN or XBL) for authentication, not sure about the mobile ports, though.
  • No you don't need a account to play Minecraft on mobile. It's pertaining to the PC version. I've already changed my password. Rather unfortunate that this would happen. Posted via the Windows Central App for Android
  • Just a bunch of kids playing this game anyway.....
  • Hah, yeah right. No. People of all ages play Minecraft.
  • Really? How sad....
  • Ignorance is what's truly sad. Read about Redstone circuitry and come back and tell us how childish this "game" is.
  • So many people say that, you are just a monkey repeating what you see. It's not at all true.
  • Google is responsible.
  • Google..
  • With this low of a number being released, it was probably a phishing scam. If someone got more than that, they would have bragged by now.
  • Why would someone want to steal someone's minecraft account? ITS MINECRAFT!!! 
  • for pure griefing nothing more   
  • well, i guess changing my password won't help, if it was phishing they don't have my password because i know when i see phishing, and if they hacked the servers they can just get the password again if i do change it :p
  • It's just a game. Just pretend it didn't leaked LOL
  • Any way to get to the plain text file to see if mine is on there?
  • Someone on a german forum (heise.de) got ahold of the list and sent out an email to everyone who was on it. Please note, however, that whoever compiled this list of 1800+ accounts might actually have access to more than just this leaked list. http://uncovery.me/2015-january-leaked-1800-check/
  • This was probably a phishing attack. I doubt that they would leak 1800 accounts when they breached the whole system.
  • Great knowing console is not affected Thanks Localhorst86
  • well, it's more of an educated guess, derived from the facts given. But on the console versions (xbox 360, PS3 and Vita are ones that I tried) you never have to log on using your minecraft account.
  • I think all the people that do this type of thing need to be uncovered and their info given to all of those that they have done this wrong to. See how they like it when the people they have wronged know all their info...
  • Just changed my password.. Just incase
  • Are the affected account holders being contacted?
  • Master PC race huh? :)
  • Is this only for the desktop version?  I don't remember making an account for the WP version.  Also have it on the PS4 but I haven't even installed it yet. =p
  • It is very possible to have a text file laying around the pc with accounts and passwords, obviously it can easily be seen by any hacker/breacher this way, i never leave any password related things in text files, i either memorize them or write it down like in the old days :P
  • Why did not minecraft encrypt password of user before saving into database? it's too easy to implement
  • Where is the Windows 8 and Windows RT version of Minecraft?