If you’ve used LBSG, we urge all users to change passwords for any services using the same password.
You can check if your account was compromised by visiting haveibeenpwned.com.
Motherboard recently reported that the Lifeboat Survival Games network had been hacked, with over 7 million users having their password data stolen. The leaked data included usernames, email addresses and insecure passwords.
LBSG knew about the breach, but absurdly didn’t notify any users. They told Motherboard this:
“When this happened [in] early January we figured the best thing for our players was to quietly force a password reset without letting the hackers know they had limited time to act,” a Lifeboat representative said in an email. “We did this over a period of some weeks. We retain no personal information (name, address, age) about our players, so none was leaked.”
“We have not received any reports of anyone being damaged by this,” the representative added in another email. They did not reply when asked to clarify why the company did not inform users.
The passwords had only been encrypted using the extremely weak and insecure MD5 algorithm, which can be easily unencrypted in seconds. Security researcher Troy Hunt, who discovered the hack, said he “was able to easily verify people’s passwords with them simply by Googling them, such is the joy of unsalted MD5”. LBSG stated they now use a much more secure hashing algorithm.
— Marc Watson (@Marc_IRL) April 26, 2016
If users have used the same password on other services, such as email or Twitter, it is trivial for attackers to access any of these accounts. Though Lifeboat states they “have not received any reports of anyone being damaged by this”, it would be near impossible to know the cause of a breached account anyway, especially if that cause was kept quiet.
Edit: Since this article’s publish, some Lifeboat staff members have contacted us. One privately told us that “every email that is stored in our database is being notified [of the breach]”, and also stated that it is not an easy task and they want to ensure everything is sorted out. Another admitted that they now understand it was the wrong decision to keep the breach private, but was somewhat defensive. Though it is many months too late, it is good to see that they are now taking action and accepting some responsibility.