Possible data leak at Minecraft server GommeHD

There may be a security vulnerability on the Minecraft platform “GommeHD.net”. This apparently allows user data to be tapped. A sample data set is openly available online, and the allegedly complete user data is for sale on Telegram.

The sample data includes an email address, plain text password (including "123456," of course), and a username. It is unclear where this data comes from. It could be access data for the Minecraft server or the forum connected to it. The criminals write that they want to pass the data on to Have I Been Pwned.

In the forum on GommeHD, users have also been complaining since Sunday that data has been exposed. On Thursday of last week, however, an administrator declared the issue closed. An attempt had been made to install an update, but this had led to problems with the design, which the team had managed to resolve. A developer wrote that the data probably came from somewhere else – each of the accounts already appears on Have I Been Pwned.

Unclear situation

He also writes that GommeHD uses xenforo: “Xenforo stores passwords not as cleartext, as seen in the dox, but as hash”. Such data could come from infostealers. The situation is confusing and unclear. GommeHD has since responded to our request. “After careful examination, we are currently unable to confirm a data leak at GommeHD.net,” the company explains. "The credentials published on Doxbin can be matched without exception with known external data leaks such as the ‘Alien Breach’ (AlienTXT) and other historical sources. We were able to verify all credentials via relevant breach sources and Telegram bots", which indicates that they did not originate from attacks on the GommeHD systems. As some of the credentials apparently originate from “stealers”, these cases involve the security compromised end devices of individual users.

GommeHD does not store passwords in plain text, but in accordance with current security standards, for example by using strong hashing methods. GommeHD is also proactive and regularly searches common leak databases and forums. If access data is compromised, the company forces a password reset. According to the current state of knowledge, there has been neither an intrusion nor a targeted compromise of the IT infrastructure.

Troy Hunt, who owns Have I Been Pwned, said upon being asked by heise online: "A random sample of address all show up in the Alien Stealer Logs". This may indicate that the data stems from there, from infostealers.

All GommeHD users should change their passwords as soon as possible. However, GommeHD now seems to ask for a password change when logging in anyway – it is currently not possible to say whether this applies to all users or only to the accounts that appear in the published sample data set. If possible, users should also activate multi-factor authentication (MFA) so that leaked passwords cannot lead to their account being compromised.

Unfortunately, data leaks are a common problem. One of the most recent cases concerns McDonalds. The company used an AI chatbot for recruitment interviews. The data collected was poorly protected: MFA was not active and the password was simply “123456”. This allowed IT researchers to gain access to data from around 64 million applicants.

(dmk)