2 YEAR
2 YEAR OF SERVICE
LEVEL 2
325 XP
Account Security
I. About
This thread will serve as a rudimentary guide about account security and what constitutes a secure account. Generally, people assume an account including all original information is the most secure it can get. This is a misguided belief—there are many more aspects to a secure account than the inclusion of all the original info. Because most elements in account security conflate, each of these categories assumes you already know (to some degree) what account security is.
THIS IS STRICTLY MINECRAFT ACCOUNTS
II. Terminology (Glossary)
Account security comprises of several different categories or conditions an account may be in, some which may be familiar, others may be unfamiliar:
- Original information (OGI) - The information the account was made with, or, any information that is necessary to verify the ownership of the account if Mojang asks.
- The owner history
- "The (SSID) exploit" status
- MSA-Migrated vs. MSA-Made
- Method of acquirement
- Reputation of previous owners
- And more
III. OGI: All OGI is not always all good
The consensus is that all OGI is the top security an account can have. That isn't always true. Have you ever considered the previous seller provided false OGI? It doesn't matter if it's "all OGI" if none of it is actually real. That conflates with short, reputable owner history—the less people in the history, the better. If the owner history is long and the account gets pulled, you won't know who did it (most assume it's the seller, but if could have been the seller to the seller). Furthermore, if the original owner gave false OGI to the first buyer, every single buyer after the first one will have incorrect OGI and nobody will know until something happens.
You should also consider that it might not have been done deceptively. There's the chance the owner provided incorrect OGI because they didn't gather or document the right OGI for the account, accidentally. Moreover, the clear definition of all OGI varies—some say the TID, OGE (knowledge or access), creation date, and creation location suffices. Others are more careful to define all OGI as the TID, OGE (access only), creation date, creation location, IP of creation, ISP, credit card/method of payment, device of registration, etc. So, you can't really be sure the owner is actually providing you with absolutely everything if their definition of all OGI is not the full amount of original info. One large debate is whether OGEK (knowledge) is considered all OGI since OGE access is less common nowadays.
Here's a hot take: Me, personally, I prefer no OGI accounts now rather than all OGI accounts in most occasions. Here's why:
- If the owner history is long and/or not reputable, or if the account was MIGRATED (VERY IMPORTANT) not made as an MSA, it can be pulled and it'll be difficult to find the perpetrator
- OGI doesn't do jackshit. I'll expand on this in a second
If the owner history is long and/or not reputable (and the "all OGI" given was indeed correct), many people know the same info. If it gets pulled, who did it? It'll be hard to track that. Furthermore, if the account was migrated from Mojang to Microsoft, it can be demigrated which is even harder to track. This isn't possible for Microsoft-made accounts, and I'll go into detail about the discrepancies between these two in a later section.
Here's my experience with OGI. I remember going first in a deal with someone & they scammed me. I tried to retrieve my account (literally a 3-char worth $25, not high value at all) and Mojang still shut me down even though I was the ORIGINAL OWNER and documented all the OGI.
This happened again, except with an MFA (worth $5 lol) and I got scammed. I was not the OGO in this case, but I did have all OGI. Guess what? Mojang still turned it down. Mind you, I used this same OGI to get the name history removed before the API went private. Mojang accepted that request, the name history was indeed removed, proving the OGI was valid (unless the rep was just an idiot). Unlike the 3-char, this account was MSA-Migrated and even still the OGI wasn't much help.
Most of these issues boil down to the Microsoft migration, which is why MSA-Made accounts are far superior to MSA-Migrated ones. Again, this is covered in detail later.
Now, if you're buying an account with short and reputable history, all OGI would be best. This would allow you to unlock the account if it does get locked. You won't have to worry about previous owners having the OGI since there's few and they're all reputable. But if the account does have a little bit longer history OR the history is not entirely reputable, you might be better off with a no OGI account. If you do get an account with no OGI, NOBODY can pull it. If it gets locked, then that's unfortunate—the account wasn't that secure to begin with if it does get locked that easily. But if not, then you won't have to worry about any previous owners pulling it—reputable or not reputable—since nobody has the info to do it.
In contrast though, you should still be wary of people advertising "no OGI" accounts. There's the chance that they have the OGI but are not giving it to you, in which case the account is very insecure. Another possibility is that the account was phished or scammed off somebody (hence why they weren't able to get the OGI), which decreases the security a lot. There's still many caveats to no OGI accounts but I still prefer them over all OGI accounts if the owner history isn't comprised of HIGHLY reputable people and no more than 3 past owners.
Lastly, having all OGI, even if accurate, and even if the owner history is both reputable and short, can still backfire. Even if your account doesn't get pulled, your OGI has a second purpose—to be used to prove your ownership of the account, if it gets locked. Mojang is known to have biases against accounts with desirable usernames (or capes), hence, your OGI may still not suffice because Mojang reps are not compliant.
IV. Owner history is the most important factor of account security
No matter what info you're given or whatever else concerns the security, the owner history is THE MOST important part of it all. If the account has even 1 scammer in the history, it is not secure in the slightest. You can't sell it nor can you feel safe with it. If the owner history is long, again, this makes things very complicated. This ties closely with the "method of acquirement"—if the account was phished off the OGO, scammed, or ticketed, the account is not secure. If the OGO went first and gave all the completely accurate OGI, the account is still not secure if it was stolen off them. It can be locked or pulled back at any moment.
V. MSA accounts are very, very weird
If your Minecraft account was migrated to a Microsoft account (as it is required to play or use it now), the account can be demigrated if you go to support. If someone has the correct OGI, they can pull an account through this. Hence, every single Minecon account has more emphasis on this (and the owner history) since these are unchangeable attributes. Every Minecon was migrated—none were made as Microsoft accounts. That's why the owner history is more important than ever on them.
On the other hand, MSA-Made accounts are nearly impossible to pull or retrieve if you get beamed. They can't be demigrated, so 99% of the time Mojang support will tell you to talk to Microsoft support since "they deal with Microsoft accounts, as the account was migrated". As we all know (or come to know), Microsoft support is never helpful. You allegedly sign some agreement when making a Microsoft account that support cannot change your recovery info, at all, even in the case of an account being compromised. The only way to replace existing recovery info is by accessing the account (requires access to the current recovery info), or using the "recovery form" which updates the info after 30 days if you pass the security challenge (spoiler, the account's current owner can revoke this change, so if it was stolen off of you, this will not work). With all this in mind, it's clear MSA-Made accounts are basically impossible to pull, so whoever owns the account essentially has it forever, as it would be difficult to take it back.
But that's not all though. What about the exploit? This is the only noteworthy way of pulling an account, MSA-Migrated or MSA-Made. According to Zyger's previous thread on OGU, the method bypasses any recovery info changes and any primarily alias changes. This means the user can pull back the account even after everything is changed, unless the exploit is removed (Zyger does it for you if you use him as an MM + he can remove it if you ask him, very generous). If the account doesn't have the exploit, or if it was removed by Zyger, this should not pose a threat on security whatsoever. The exploit is often added by accident, so don't assume the seller had ill intent if it happens to be on the account.
Otherwise, MSA-Made accounts are incredibly difficult to pull, so if possible, it would be preferred to purchase a username claimed on a Microsoft-made account.
VI. Conclusion
Well that wraps it up. This thread was meant to inform any newer users on how account security works (in a very basic standpoint) and also exposing some myths about account security that lead people to buying accounts, not knowing the account isn't as secure as they imagined. Let me know of any thoughts in the comments!
Last edited:
