Mojang Resets Users' Passwords, Microsoft Insists Not a Hack

Microsoft confirmed this week that one of its recent acquisitions, the gaming firm Mojang, has not been hacked.

Nearly 2,000 credentials belonging to users of the Mojang game Minecraft – email addresses and passwords in plain-text – surfaced on Pastebin earlier this week and speculation began to run rampant.

Given the Swedish video gaming service – which Microsoft purchased in September – boasts in excess of 50 million members, many feared the company had been hacked.

Heise Security reported the breach on Monday, and searched through the list and discovered users from Germany were on it and that the information was current. If a user hasn’t set a security question, attackers could potentially log into one user’s account to another.

Microsoft’s response however suggests it’s just business as usual for Mojang, who like other gaming firms, get hacked from time to time and are forced to reset a small group of users’ passwords.

“We can confirm that no Mojang.net service was compromised and that normal industry procedures for dealing with situations like this were put in place to reset passwords for the small number of affected accounts,” a Microsoft spokesperson told Stuart Dredge with The Guardian on Wednesday.

While Microsoft didn’t explain exactly how the service’s users were compromised, Owen Hill, the company’s Chief Word Officer suggested that a fraction of Mojang’s users may have been phished.

“No! We haven’t been hacked. A bunch of bad people have tricked some of our users into disclosing their account information,” Hill wrote in a blog entry titled Let’s Talk About Password Security yesterday.

Hill claims the company has already emailed the affected users and reset their passwords. To help reinforce security going forward, Hill is encouraging users to reset their passwords, not to use the same password on multiple websites and to avoid giving away account details on sites that aren’t its own.

Gamers are routinely targeted by hackers and phishers alike.

Email addresses, hashed passwords and other information were spilled from the video game developer Blizzard Entertainment when it was hacked in 2012 while in 2013 another video game company, Ubisoft, urged users to create new passwords after hackers were able to exploit a vulnerability to get to one of the company’s databases. Usernames, email addresses and encrypted passwords were leaked in that hack.

Last year, a cache of usernames, email addresses and salted password hashes belonging to players of the popular game League of Legends was compromised. The service forced users to change their passwords and had to put two new features, email verification and two-factor authentication, into development to bolster security.