What is an Alt Token and how can I avoid?

Status
This thread has been locked.

cpryt

Feedback score
0
Posts
55
Reactions
33
Resources
0
Hello,

As the title states, what is an Alt Token (for Minecraft) and how can I avoid my account being compromised of such?

I am asking this because I am not knowledgeable and would like someone with the know-how to help me understand. This is moreso in reference to sites such as MCLeaks & TheAltening where their service allows random people to be able to log use an account using their authentication service. Do these sites use SQL injections?

So long as I update my password every so often, I should be safe, correct? I imagine that these tokens can only be generated if a third party already has current access to the account itself, with them holding the account information on their side.

Thanks for the quick read, hope to see some insightful responses!
 
PebbleHost
High performance, consistent uptime and fast support. Minecraft hosting that just works.

Doge

Long Dogs
Supreme
Feedback score
126
Posts
5,271
Reactions
8,930
Resources
0
What these guys do is they get data breaches, crack the hashes and have email + pass combos. They then try these against minecraft and get a bunch of working accounts.

If you straight up share an email + pass combo, if too many people log in too quickly, the password will be reset. So the solution these sites made is their own database that has these combos + a "token" to identify each account. They also provide you with a special client where you enter this token, and it proxies the login/connection via their own IPs, so this prevents the password reset problem, since all logins are through their IP.

Also SQL injection is one of the lowest level things out there and requires very little skill most of the time. Normally this is done to shitty/outdated forums/sites to gain more combos for trying them against other sites. The only way this would affect you is if a site gets breached and you used the same email + pass, otherwise, you're fine.

I imagine that these tokens can only be generated if a third party already has current access to the account itself, with them holding the account information on their side.
Correct

How to pretty much have your minecraft account be untouchable:
1. Don't reuse the same password anywhere else.

2. Have an email which you created just for the account, one which nobody else knows and hasn't been used for other registrations.

3. Make your security questions randomized and not guessable at all.

4. Don't download sketchy stuff.

5. Keep your info private, don't let anyone gain enough to the point where they can social engineer Mojang. (If you purchased a giftcode in a physical store with cash, this doesn't apply)

6. To guarantee complete security, make sure you are the original owner, this way, nobody else will have the TID and it can't be pulled.
 
Last edited:
Status
This thread has been locked.
Top