Does Mojang blacklist or throttle login attempts from specific IP addresses?
I recently ran a Minecraft event with 50 players, all in the same physical space with a shared internet connection. About 2/3 of players were challenged for their authentication credentials, and after entering known good email addresses and passwords that had all previously worked, login was denied with an error indicating invalid credentials.
I was able to reset the passwords on these accounts, but even after resetting the passwords they still did not work.
The strangest thing was that the newly reset passwords would not even work when trying to log in via https://accounts.mojang.com/login -- I would reset a password, get the green confirmation message that the new password was successfully set, and then when I tried logging in again via the web site it would not accept it.
Switching over to an internet connection via a cell phone resulted in everything working. We tried to fool the system by logging in over a cell connection, and then switching the network back, and that worked for a few accounts but then we started getting "invalid token" errors after switching networks.
Then after a couple hours, everything worked again.
To me this points to a temporary throttling or blacklist of the network's IP address.
Since everything worked fine before and after the event, I tend to believe it is not a problem with the firewall or network configuration on our side of things.
Is this a known practice used by Mojang?
What triggers it?
Is there a way to proactively avoid it by getting an IP address whitelisted?
Why don't they provide any actionable information when they are doing this, and why would they permit a password to be reset but not used?
Best Answer
Around a month ago, Mojang added a new system to protect against logging into cracked accounts. If you fail to login to too many accounts during a short period of time, your IP will be blocked from somewhere around 30 minutes to 4 hours, then the accounts you tried logging into are flagged. The accounts are then reviewed, if it looks like it has been hacked then the account is reset and sent a new password to the original email. You must use a VPN to bypass this restriction, or use a HTTP Proxy for the actual login of the accounts
Pictures about "Does Mojang blacklist or throttle login attempts from specific IP addresses?"
Does Mojang ban IP?
Also, Mojang does block VPNs and publicly-shared IP addresses and has been doing so since 2016. This is to prevent cracked accounts farming and other potentially fraudulent behaviour.Why does my Mojang account keep getting hacked?
Mojang accounts are sometimes compromised by phishing or social engineering, and lists of those accounts often end up posted online.Why is my Minecraft account blocked?
If you tried to sign in to your account and received a message that it's been locked, it's because activity associated with your account might violate our Terms of Use.Has my Minecraft account been hacked?
There are a couple of ways to immediately tell if your Minecraft account has been compromised. These include: Receiving an email from Mojang, the Minecraft developer, that your account has been logged into from an unknown device.IP is Blacklisted when I Try to Login in Directadmin
More answers regarding does Mojang blacklist or throttle login attempts from specific IP addresses?
Answer 2
I do know that Mojang filters out many logins since you may be using a leaked account or something like that. I only know this since a friend tried that a while back and he could not login in to Minecraft for a full day.
The only way that I know of to bypass that restriction would be to have a VPN running, but you would have to use different VPNs for everyone or else they will all still have the same IP.
For the question as to why they would allow a password reset but not allow you to use it, I really have no clue. Sorry about that part!
Wish you the best of luck though!
Answer 3
I think the answer is yes, based on my experience writing command line tools for Minecraft admins - https://github.com/air/minecraft-tools
- Run the login script from my PC (or any other computer I've tried) - it works.
- Run the login script from my DigitalOcean server - fails 100% of the time with 'invalid credentials'.
It doesn't matter which one I try first, or how long the interval between logins is. My DigitalOcean server is on a blacklist, as far as I can tell.
Answer 4
If you failed to log in too many times during a shot time period, your IP will be throttled for 1 hour (2 hours before somewhere in 2017); the official advice is: Wait 1 hour (on #minecrafthelp we usually advise double of that time because people get impatient), reset your password then try logging in again.
Also, Mojang does block VPNs and publicly-shared IP addresses and has been doing so since 2016. This is to prevent cracked accounts farming and other potentially fraudulent behaviour.
Sources: Stack Exchange - This article follows the attribution requirements of Stack Exchange and is licensed under CC BY-SA 3.0.
Images: Tobias Dziuba, Pixabay, Pixabay, Anderson Guerra