~

Minecraft account security

By Evelyn
Category: misc

Introduction

In the beginning, a game called Minecraft was created. It became quite popular; you might have even heard about it. Things were more or less fine at first, people mined, people crafted. Eventually its game studio, Mojang AB, was acquired by Microsoft in 2014 - mission accomplished.

Multiplayer is a significant part of the Minecraft experience, with Mojang operating a central accounts and authentication service which gives players a consistent identity across third party servers. Each player can customise their appearance by uploading a custom 'skin', and has a single username which appears in chat and above the player's head in-game.

For a long time, you couldn't change your username. If you had a cool name, you were stuck with it, if your name was extremely uncool, you were also stuck with it. In 2015, after all the accounts were assigned unique identifiers (UUIDs, for short), players were allowed to change usernames. Usernames from accounts which had registered but not bought the game were later freed for use by "premium" players, sparking a gold rush as active players sought to upgrade their usernames.

Usernames aren't all that's cool and rare in Minecraft, there's in-game capes too, each with a distinctive design, all are limited-issue: A small handful of capes were given for community contributions such as translations, Mojang capes are offered to those who work for Mojang, Minecon capes are given to recognise players who attended real-world Minecraft events, and for those least special of all, the "migrator" cape, for those who once had a Mojang account. A tiny handful of capes are held by only one account each.

It's notable that some Mojang staff declined the company's distinctive cape over security fears.

Over the last few years, there's been a rising demand for rare usernames, and for rare capes, and there's now a healthy market for accounts with either of these, which can change hands for thousands of dollars for rarer or more desirable examples. There's also a subculture of people who value "OG" accounts to add to their personal collections, to show off among those communities.

Trading accounts is against the game's terms of service, but this does little to dissuade those after the prestige or the money that can result. Those who resell accounts in particular are quite relentless and can be quite ruthless in what they'll do to get hold of accounts to resell. This rather murky market is supported by the buyers, who are either unaware of or indifferent to how the accounts are acquired.

In some cases, if Minecraft support becomes aware that an account has changed hands, they will lock it, but enforcement is quite patchy, and many of these communities operate in the relative open.

The ends always justify the means

Sniping

Username "sniping" is similar to auction sniping, it means using a bot to get a username the moment it becomes publicly available. Players can only change their username every 30 days, but their previous username is reserved for about 37 days so they can reclaim it if they change their mind. The exact moment an account will be available can be predicted, and split second timing is something software is great for. Mojang takes a dim view of this sort of thing, but it doesn't seem to show any signs of stopping.

Buying

If someone has a desirable account, they might offer to buy it. To do this, they need to find a way to contact the player, something which is aided by the fact that Mojang publishes a history of previous usernames for each and every account, which various websites provide a user-friendly interface for. If your current or previous usernames are distinctive enough to search, this is how they'll find you. The first resort is conventional search engines, but they might make use of breach databases to find information on you which shouldn't be public - I know one person who received a phone call from someone asking to buy his account.

This can be extremely annoying and extremely intrusive to be on the receiving end of, even without phone calls I've had something like ten attempts to contact me from various people this year alone. I'm not sure what changed, the first emails started in 2018, and there were a handful each year, but 2021 is the year the floodgates really opened - perhaps they're trying to get in ahead of migration. It's hard to say.

Support tickets

If you can't snipe it, and you can't buy it, you can convince Mojang support to give it to you, crossing the line from "breaking the ToS" to "breaking the law". They'll do their level best to find as much personal information as possible, using techniques from the previous section as well as more underhanded tactics, and they'll try to use this information to convince support that they're the rightful owner of the account. They keep tabs on support agents, and prioritise those they believe are most likely to go along with their requests.

This seems to have been mostly mitigated by microsoft migration if only because support appear to have lost the ability to do much at all with migrated accounts.

Mojang

Mojang, for its part, doesn't appear to have any strategy for dealing with this problem. We've had conversations with staff, who are quite sympathetic, but have let slip that Mojang doesn't appear to have much in the way of planning to deal with this besides migration. Senior support staff suggest that this is not an accurate impression, and assure us that account security is their foremost concern, but declined to offer any specific information.

As far as the username history is concerned, Mojang has a clear legal responsibility under Swedish data protection law to ensure that data processing is legitimate and legal, and that data requests are handled fairly and promptly. Unfortunately, support policy is that only full names or addresses in previous usernames comprise "personally identifiable information", and that only those will be removed. This is wrong in law, personally identifiable information is any information which is personally identifiable, but it also ignores the need for data processing to be legitimate.

Some information is regarded as being additionally "sensitive" per data protection law, such as gender transition, which could be inferred from two first names in a history for example, which is also not covered by their policy.

My experience from my own request, and from talking to others with a similar problem is that the request is only taken seriously when the user makes explicit references to data protection law and data protection principles. This alone is totally unacceptable, your rights as a data subject exist whether or not you understand them.

The GDPR sets clear time limits on data controllers responding to requests, in most cases this is a month long. My experience talking to support has taken over sixty days, over which Mojang have alternated between rejecting it (2021-09-17), accepting it (2021-10-01), rejecting it again (2021-11-15), then deciding to reverse course once more, and make an "exception" (2021-11-16).

Another curious detail since Mojang's final u-turn - I've been assured that the removal happened on 2021-11-16 and that this can take several days to take effect. As of the end of 2021-11-19 (UTC), this hasn't happened. I've been told this is down to technical factors, but this doesn't seem right, on the face of it, it's more likely that this request has to be passed internally for action.

I've been given repeated assurances that their policy is in line with the GDPR because it has been reviewed internally by legal teams, and while I am sure that Microsoft has excellent lawyers, they are not omniscient, they cannot predict the future, they cannot envision every scenario that will happen. Compliance isn't something you do one time and put on a shelf, it's your relationship to data protection law every single day.

What you can do

If you have a minecraft account, the single most important step you can take is to migrate it. You can have a Microsoft account dedicated to only this, this is what I've done, but be careful. Migration is enormously effective in protecting your account because support apparently can't do anything with migrated accounts. This is a double edged sword, but it means they can't be convinced into giving your account to a scammer.

If you have an identifiable username in your history and want it to be removed, you can submit this as a support ticket to Mojang. Explain why your previous username is problematic, and make sure to explicitly call it a "GDPR request", and press this in each and every message. If you're lucky, they'll take the hint.

If you've submitted a GDPR request and find that Mojang have rejected it out of hand, or have taken longer than the legal limit to fulfil it, you can submit a complaint to the Swedish data protection authority, IMY. The form itself is in Swedish, but you'll find that a tool such as Google Translate offers an accurate translation, and you can complete it in English.

If people try to find personal information on you, they will likely try to infer an email address associated with you, you may find that people send unsolicited links to documents on Google Drive, or money requests on Paypal. These are attempts to find out your "real" name, and information on accounts you might have. Don't click on the links and don't respond, this gives them more information. Transitioning some accounts away from that email address might make this technique less effective.

Following good online security practices will also help to mitigate the risk. Remember that your email account(s) are the keys to the kingdom, they should have strong passwords which aren't shared with any other service. Consider using a password manager to use unique and strong passwords for every service you use online, and enable non-SMS two-factor authentication on important accounts (including your Microsoft account - it's a target too).

You should also review your online presence from their perspective. Make sure you're on top of what privacy features are offered by websites you use. The more information they have, the better their chance of success when trying to send fraudulent support requests, they'll want information such as your date of birth and answers to security questions.

What Mojang can do

The most serious problem Mojang faces at the moment is the fact that they are not discharging their legal responsibilities under data protection law. This is the most pressing thing to be addressed, the requirements the law sets out are quite straightforward, but they're not optional.

Mojang's account history API doesn't seem to serve any legitimate use at present, so long after UUID changeover, and is one of the main tools in the arsenal of people looking to harass or compromise players outside of the game. It should be either curtailed or removed entirely.

Judicious application of grep and the excellent decompiler CFR suggests this endpoint isn't referenced at all in a recent vanilla server snapshot (1.18-pre4), or its auth library (grepping for 'names', the shortest indivisible part of the endpoint)

I've seen several explanations for why this feature is necessary and serves a legitimate use, but these are quite varied, ranging from it being necessary for classic authentication, to being useful to third party game servers to audit for previous inappropriate usernames, and one suggestion that publicly offering the complete username history fulfilled their data protection requirement to ensure data integrity. None of these actually make any sense, I suspect that the simple answer is that no-one actually knows why this endpoint exists or is necessary.

I think it's also worth mentioning that Mojang has serious organisational problems, and it's likely that the real situation is worse than we know about. My personal view on why this situation persists is that no-one has the capacity to deal with it, as Mojang is understaffed.

Mojang's account API

If you don't know what an API is, in brief, it's a mechanism to make machine-readable information available to some other software. In the case of Mojang's accounts API, this is available over the web. Some endpoints need authentication, but the ones I'm talking about here are publicly accessible, and all use the GET method, which means you can access them in a web browser without any login needed, and without any programming knowledge.

The endpoint which allows you to determine what UUID an account has is /users/profiles/minecraft/{username}. Let's say you wanted Notch's UUID, that'd look like https://api.mojang.com/users/profiles/minecraft/notch, and it should give you:

{"name":"Notch","id":"069a79f444e94726a5befca90e38aaf5"}

Which tells us that the user Notch has the UUID 069a79f444e94726a5befca90e38aaf5 (or 069a79f4-44e9-4726-a5be-fca90e38aaf5 if you prefer, both are acceptable to the API)

The endpoint which displays username history is /user/profiles/{uuid}/names, for example, if you wanted Notch's username history, you would put https://api.mojang.com/user/profiles/069a79f444e94726a5befca90e38aaf5/names, because his UUID is 069a79f444e94726a5befca90e38aaf5.

You should get:

[{"name":"Notch"}]

There's only one entry here, as Notch has never changed his username. On an account with a changed username, you would see several entries, the first being the first username, and the final one being the current one, with timestamp information on all except the first.

This API hasn't been officially documented, but there's community documentation that describes it here

A last word

Minecraft can be a surprisingly educational game, but I think it might be better for everyone involved if these lessons didn't include data protection law and online safety.