Disclosure

This project involved stealing account credentials from real people without their knowledge or consent. I was around eleven or twelve years old. It was wrong. I'm writing it up anyway because it's an interesting story and because the techniques — a convincing fake service and in-game social engineering — are genuinely worth understanding.

How Minecraft Multiplayer Worked

If you played Minecraft around 2011, you remember how multiplayer worked. You went to PlanetMinecraft, found a server you liked, copied the IP address, opened the game, hit Multiplayer, pasted it in, and connected. Servers that had been recently bumped — re-posted to push them back to the top of the list — showed up first, so active servers got a steady stream of new players just from that.

This all assumed you had a paid copy of the game and a Mojang account. If you didn't — if you were running a cracked copy — you couldn't authenticate with Mojang's servers, and you'd get rejected from any normal server. But there were servers that ran in offline mode, which disabled Mojang authentication entirely, so anyone could join regardless of whether they'd paid. These were called cracked servers.

The obvious problem with offline mode is that the server has no way to verify who you are. Anyone can type any username they want. So cracked servers used a plugin — typically something like AuthMe — to handle their own authentication layer. The first time you joined, you'd type /register <password>. Next time you'd type /login <password>. Until you did, you were frozen — couldn't move, couldn't interact with anything, couldn't chat. Once you were logged in, your username was locked to your password and nobody could impersonate you.

The Observation

I noticed something while browsing PlanetMinecraft: some servers that weren't advertised as cracked servers — normal servers you could join with your paid Mojang account — still made you register with an auth plugin. You'd connect fine, authentication passed, and then you'd immediately get a prompt asking you to type /register. Nobody seemed to find this suspicious. People just registered and played.

The plugin wasn't there because it needed to be. These players had real accounts, already verified. It was just something the server admin had installed. But from the player's perspective it looked like extra security, so they complied — and they had no reason to use a different password than the one they used for everything else.

I had an idea.

MIT Summer Camp

That summer I went to a programming camp at MIT where we learned Java. Minecraft plugins were written in Java. I had a reason to pay attention.

By the end of the summer I knew enough to write a Bukkit plugin. What I wrote looked, from the player's perspective, exactly like a legitimate auth plugin. The commands were the same. The messages were the same. The behavior was the same — you registered, you got confirmed, you could play.

The only difference was that instead of hashing the password and storing it securely, it wrote the username and password to a plaintext file on the server.

Running the Server

I set up a Minecraft server, installed my plugin, posted it to PlanetMinecraft, and started bumping it. Every time I bumped the listing, twenty or thirty people would join. They'd connect, see the registration prompt, type their password, and start playing. They had no idea anything was off.

I ended up with around two hundred username and password pairs. A significant portion of them worked on the actual Minecraft login page — people had used the same password for everything. I could log into their accounts.

I don't know what I was expecting to do with two hundred Minecraft accounts. I mostly just collected them.

The Moderator Application

There was a problem with some accounts. Mojang had a migration system where older accounts were moved to email-based login instead of username-based login. For those players, knowing their Minecraft username and password wasn't enough — I'd also need their email address, which I had no way to get from the registration prompt.

So I handled those differently. I'd approach them in the game and ask if they wanted to be a moderator on the server. Most people said yes — getting mod on a server was a big deal. I'd give them a book in the game, which in Minecraft is a writable item. The book was a moderator application. It had real-looking questions: why do you want to be a moderator, what experience do you have, have you been banned from other servers.

The first question was: what is your email address.

It didn't work every time. But it worked sometimes. I got maybe ten logins that way.

Reflection

I genuinely don't know why I did this. I didn't sell the accounts. I didn't grief anyone's world or drain their inventory. I just collected credentials and logged in to prove I could.

Looking back, the techniques were real: a convincing fake service that people had no reason to distrust, combined with targeted social engineering for harder targets. Those are not toy concepts. The fact that it worked on two hundred people — real people, not test accounts — is something I've thought about a lot since.

The obvious lesson is don't reuse passwords. The less obvious lesson is that people don't scrutinize prompts that look routine. The registration screen looked exactly like every other registration screen. Nobody questioned it because nobody had a reason to.