Posted on 24 January 2021 - 02:05 PM

So, back in July, I was playing hypixel skyblock, as usual. One day, however, I logged back in to see my items stolen and traded. I was devastated, however, I changed both my email and minecraft account to something different. I played normally until about today. Today, I decided to use badlion for the first time. So, I download it and then proceeded to try to make an account, and it states the email was already in use. I was surprised, as I've never touched badlion at all. I tried to login with my new password, and it didn't work. But, I tried my old password before it was changed, and I was able to login and play as usual. This is a MASSIVE exploit within badlion. People who make your account through badlion without your consent gives them the power to login at any time, despite the minecraft account password being changed. And if they manage to use 2fa on your account, then you are locked out forever. I suggest to make it so that when your minecraft account is changed, the blc account password is changed with it.

Posted on 28 January 2021 - 02:09 AM

Hey.

The Badlion account/password system is 100% separated from Minecraft. We do not store, log, or do anything with your Minecraft passwords. The Badlion Client sends the request directly to the Microsoft or Mojang servers (depending on how you log in).

Sharing a password between services is generally a bad practice, and you should setup a unique password for each service that you use. Free password management software is available through various websites, one example being https://lastpass.com/

Hope this clarifies any confusion from you, but there are no security exploits with Badlion Client that you are describing here.