Beluga – How 126,000,000 Minecraft Accounts Got Hacked

On february 27 2020 popular minecraft streamer iceblades11 was playing on hypixel jumping around like a kangaroo when suddenly he was locked out How am i being logged on from another location you changed password i changed it dude i am just keep i did change i changed password someone had accessed his account from another location dude they must not my key or something dude in valid session his viewers were in shock

Was his password stolen did someone break into his house and put a virus on his computer while he was sleeping no one knew what was going on during her live stream our account was logged in from another location now i don’t know how they were able to do that i’m not

Sure if they had my password or whatever they had to get on my account around the same time more streamers were hit with the exact same attack is that my f3 menu up no come on no are you kidding me supposed to be on the wall it’s not the actual banner

That’s why it like turns to snow to stone dude oh my dude i think i’m about to i think i’m getting here i think i’m getting i think i think oh my god tv underscore yt it said login from another location yeah yeah yeah it did what do i do

Change your uh your email change your email right now yeah yeah yeah do you have an only fans account be honest yeah sorry i’m getting i’m getting straight Oh my god let me ask you a question have you ever tried to join a minecraft server and this message popped up every time you launch minecraft your username and password is sent to mojing’s secure servers and in return they give you a unique session id this is a special key which

Tells minecraft servers like hypixel you are the owner of that account session ids allow these servers to verify your account without knowing your username and password it’s a safe way to verify users because servers don’t need to access sensitive data one simple token and you’re in in late february of last year hackers

Discovered an easy way to obtain session ids and log into servers as other people this was surprisingly easy to do like there were actual tools where you could just enter a username and bam you’re in once the word got out total chaos erupted yeah yeah just click on the slots wait what

I logged in from another location dude dude okay okay okay okay this was the beginning of a huge minecraft account exploit the biggest and most dangerous one in the history of the game because it affected every single registered account including yours regardless of password strength hackers had found a very simple loophole

A flaw in the authentication system that had gone unnoticed for years which allowed them to log into any minecraft account they wanted without even knowing the email or password as long as they had the username of their victim they had access to everything this video will explain the brilliant method hackers used

To pull this off all of the youtubers and accounts that were affected the backlash and ultimately mojing’s response to this massive vulnerability to the end this video will take you through the dark part of minecraft’s history many people don’t seem to want to talk about also only one percent of my viewers are

Female i honestly don’t know why if you have a girlfriend or a sister or whatever please share my channel with them so we can fight the gender inequality on this channel enjoy the video i touched on this at the start of the video but streamers were the first people affected

Mainly because if you were famous you became a huge target let’s say you used this exploit and you logged into dream’s account what’s the first thing you would do that’s right using this exploit within a few seconds you could connect to the dream smp as dream himself now you see why this is

Such a huge problem if this vulnerability existed today people would literally be logging into the dream smp and destroying the entire server of course you would need the actual ip address for the dream smp but that’s surprisingly easy to find in fact several people have already found it but

The only thing preventing them from connecting to the world’s most coveted minecraft server is the whitelist with this exploit that can be bypassed luckily dream wasn’t insanely popular back then and from what i know his account was never touched using this it was also possible to impersonate the owner

Of a minecraft server like hypixel and if that account had op access well i think you can guess what would happen Can you ban him i can’t hi emma why are why plenty of regular people logged into servers as head admins and started griefing using commands they shouldn’t have access to it was chaos as a result entire servers were taken offline and a few never recovered luckily none of the major servers like

Hypixel were destroyed i’m guessing the owners temporarily banned their accounts using the console and disabled admin commands until everything was in the clear but still for a moment it was possible to pose as the owners now for the average steve you were generally okay i mean there’s no incentive to

Impersonate a regular account unless you wanted to log onto a server and start hacking or you knew they had valuable items and you wanted to either steal or destroy them and that’s exactly what happened Come on oh you gotta be kidding me i got almost nothing there we go jeez i won with absolutely no skill involved hackers started targeting the accounts of hypixel and 2b2t players logging in as them stealing items and getting their accounts banned hypixel and 2b2t were the main servers targeted by this

Exploit because many players here had huge amounts of in-game wealth this person lost 20 million coins and all his valuable items i looked it up and the coins were worth about six dollars a lot of servers are paid to win and this hack opened the door for anyone to access

These accounts and get back the server owners if they wanted to on 2b2t the oldest anarchy server in minecraft hidden bases were leaked alliances destroyed and entire inventories were wiped in seconds just because hackers were able to impersonate an account if you’re not familiar with 2b2t bases and coordinates are extremely confidential because

Nothing is protected leaking the coordinates of anything significant would result in the entire thing being destroyed what made this exploit especially scary was that initially these people didn’t know how the hackers access their accounts try to put yourself in the situation of a twitch streamer you shut up when i’m

Talking to you you shut your mouth suddenly having their account accessed from a new location the hacker would need your password right and once they have a password that works they’re not going to stop at your minecraft account they could log into your bank your twitter and even your twitch

Channel for these streamers it felt like their entire life was at risk because they thought these hackers had their password and you can’t really blame them either because the only known way to access someone’s account is to know their password the total number of users affected by this exploit was 126 million

Or every single minecraft account in existence since if a hacker had a valid session id and a target it doesn’t matter who you are there is no way to stop them i don’t know how many of these accounts were actually logged into but given how easy it was and the fact

That it was public the number is definitely in the thousands earlier i talked about session ids and how their minecraft’s way of verifying a user whenever they log into a server well one day someone discovered that mojang doesn’t validate an account’s ownership of the session token when logging into a server basically it

Will accept any valid session id no matter what the username is as long as the token is valid full access to the account is given so how did hackers get the session id it’s still a mystery on how the first ids were stolen but essentially the information containing the token

Was poorly protected by the client allowing people to develop tools that would grab them in a few clicks in some cases streamers would accidentally show it while loading up the game to the average person it was meaningless but to a hacker this was a golden ticket into their

Account i also heard that if you had someone’s ip address you could get their session id although i never tested this for myself because i don’t like going to prison here’s an example of what a session id looks like for minecraft it’s formatted a bit differently but it’s essentially just a bunch of

Numbers and letters once this loophole became public many of the largest hacked clients like worst created built-in tools to steal people’s sessions and log into their account simply by knowing their username or session id i’m still confused as to how this was not illegal they literally put a button on their

Clients that allowed you to hack people what made this exploit so dangerous was there was literally no way to stop it or protect yourself from being hacked if you were a target or a significant person and someone wanted to use your accounts don’t they could don’t work we can’t we can’t do that

No don’t delete commands what are you doing what are you doing a common tactic these streamers used was quitting the game when you log out and quit minecraft your session id is destroyed but that doesn’t stop hackers from getting another one which they did i’m not going to lie at

The time it was kind of funny to watch these streamers fight hackers in real time it was like a back and forth battle between the streamer and the person trying to access their account they would get kicked out reload the game log back in and they’d be somewhere else

And then they’d get kicked out again and yeah many of these streamers changed their passwords but it kept happening as terrible as this sounds there was a bright side to this exploit since keys were being used to hack into people’s accounts actual login details like the email and password

Were not exposed or at risk of being stolen this loophole could only be used to impersonate people which explains why streamers who are having their accounts accessed live didn’t get their passwords changed or anything else still for many players years of progress were lost [Applause] now this didn’t go over well with the minecraft community because the core exploit involved hackers using an old system mojang still supported to verify users this old system only verified the key not the username with it which was the ultimate reason behind this entire problem mojing was still supporting a legacy

Authentication api when a better more secure one that actually verified account ownership already existed but that wasn’t all if any minecraft veterans are watching this you’ll know that the exact same exploit occurred back in july 2012 which affected every single minecraft account millions of accounts mojing was well aware of the issue and

Yet in 2020 it happened again the company never released an official statement or warning about this problem at least i haven’t been able to find anything from them about it probably because they didn’t want everyone to panic by saying something like hey guys there’s a back door into every single minecraft account

And there’s nothing you can do about it we hope you’re not famous or anything no come on to their credit this was patched very quickly on sunday morning march 1st mojing patched the exploit and people weren’t able to log in as their favorite streamers anymore theoretically if this still worked today

What would you do if you could log into any minecraft account and go onto any server i want to know what approach you would take and why personally i would log in as dream and start messing around on my minecraft server but let me know in the comments what you

Would do and of course if you enjoyed this video smash subscribe and i will place my minecraft bed right next to yours