Last Thursday, Bitcoin-only online poker site SealsWithClubs.com announced that the database used to store user information had been accessed by an unauthorized user and that sensitive information was very likely acquired. As such, the site is requiring that all customers change their passwords upon their next login.
Below is the entire message from SealsWithClubs management, as posted on its website:
The datacenter that we employed up to November permitted unauthorized access to a database server and our database containing user credentials was likely compromised. Passwords were salted and hashed per user, but to be safe every user MUST change their password when they next log in. Please do so at your earliest opportunity. If your Seals password was used for any other purpose you should reset those passwords too as a precaution.
As a response to this occurrence, a top priority is to further put user’s security into their own hands beyond offering two-factor authentication. This includes the ability to permanently lock withdrawal address, locking out the transfer feature, and locking out account access except for a set of IPs (at least one of which must be the currently used IP). Expect to see these features in the near future.
Transfers may be disabled for a short period of time. Thank you very much for your understanding and support during this rough time. We sincerely apologize for any inconvenience or concern this may cause our players.
For those that are less-than-versed in cryptography-speak (such as this writer), you don’t really need to worry about what “salted” and “hashed” mean above. Basically, they are ways to make stored passwords even harder to steal by adding all sorts of extra noise to them. Noise that itself is extremely difficult to uncover.
Unfortunately for SealsWithClubs, it appears that thousands of hashes related to customer passwords were not only stolen, but made public. According to an article on arstechnica.com, a user named “StacyM” posted a file to the Paid Password Recovery forum of password cracking software developer InsidePro which contained 42,020 hashes. That user offered anyone $20 for every 1,000 hashes that could be cracked and was quickly taken up on that offer. There was no mention of where the hash list originated from, but various passwords that were cracked included “pokerseals,” “sealswithclubs,” and “88seals88,” making it fairly apparent that they were from the SealsWithClubs database.
SealsWithClubs hit an all-time traffic high last month, though it has recently come back down. It’s popularity was thought to be the result of the growing acceptance of Bitcoin, a virtual, decentralized currency that is not controlled by any government. In November, the Senate Homeland Security and Government Affairs Committee held a hearing to discuss the virtues and pitfalls of Bitcoin, and to the surprise of many, the attitudes of legislators towards the currency was generally positive. The value of a Bitcoin, in terms of dollars, spiked as a result after having already been riding a huge wave for a year. One Bitcoin is currently worth around $700 on popular exchanges.
