The same hacking group that took over Mark Zuckerberg’s Twitter account has now found a way to break into accounts connected to the hit game Minecraft.
OurMine isn’t revealing all the details behind the hack. The group said it works by stealing the Internet cookies from the site, which can be used to hijack any account. All that OurMine needs is the victim’s email address.
To test the hack, IDG News Service created a user account on Mojang, emailed OurMine and asked the group to break into it, which the group did. To show proof, the group renamed the user profile to “OurMine Team.”
The hack could allow the group to change the account’s password, too, OurMine claimed. But the hacking team says it has no malicious purpose in exposing the vulnerability.
“We found this exploit because we don’t want other hackers to know it,” the group said.
Mojang hasn’t responded to a request for comment.
The hack specifically targets the user account system that customers rely on to access the PC and Mac versions of the game. OurMine said it will reveal the entire hack to Mojang once the developer contacts the group.
The hackers have offered little information about themselves, but they’ve become best known for taking over the social media accounts of high-profile tech executives, including Zuckerberg and Google CEO Sundar Pichai.
In emails, the group has said it merely wants to help the public become aware of today’s cybersecurity problems, including the use of weak passwords.
The group’s recent hack of Mojang highlights the vulnerabilities with Internet cookies, which can store information like site preferences or user account credentials for site authentication.
If those are stolen, a hacker can use the cookies to impersonate the victim’s online identities. Security flaws found in browsers and credit-card sites in the past could expose cookies to easy theft.
Some security flaws found in the past in browsers and credit card sites also have made it easy to steal cookies.
In OurMine’s case, the hackers somehow cloned Mojang’s user account site as a way to extract the stolen cookies. OurMine says on its website that it sells services where it will examine a user’s Internet accounts and websites for weaknesses.