Threatwatch

Credentials from Bitcoin-paying poker site hacked and sold for – bitcoins

Data dump; Network intrusion; Password cracking; Stolen credentials

Seals with Clubs, which deals only in Bitcoins, published a notice on Dec. 19 stating an undisclosed number of encrypted user passwords have been compromised. Coincidentally, a password-cracking forum just received 42,000 encrypted passwords that, when decrypted, spell out passcodes like “sealswithclubs" and "pokerseals.”

Within the contribution, “which was made to a paid password recovery forum operated by commercial password cracking software developer InsidePro, the user StacyM attached a database of [encrypted passwords] and offered $20 in Bitcoins for every 1,000 unique [passwords] that were cracked,” Ars Technica reports. “One day in, about two-thirds of the list has been cracked. It wouldn't be surprising to see that amount reach 80 percent or higher in the coming days.”

The advisory that Seals published mentions none of the above.

The only reference to what happened during the hack reads, “The datacenter that we employed up to November permitted unauthorized access to a database server and our database containing user credentials was likely compromised.” The rest of the notice tells users to reset their passwords and take other security precautions.

Ars explains why the passwords were so easy to unravel:

“It's unfortunate Seals with Clubs security engineers chose such a poor algorithm to hash [meaning, 'scramble'] its users' passwords,” the publication reports. “SHA1, MD5, and for that matter the recently released SHA3 hash functions are ill-suited to passwords. That's true even when those algorithms are used with cryptographic salt, which makes life much harder on crackers by producing a unique hash even when two or more users choose the same password. The reason SHA1 and their ilk should be taboo is that they're extremely fast and require relatively minimal computing resources to convert plaintext into ‘message digests,’ which is just another name for hashes.”

Ars goes on to say that a better choice would have been PBKDF2 or bcrypt, which are algorithms that were designed to be much slower and more computationally demanding to break. “That buys breached websites and end users time to change passwords before the accounts they protect are compromised,” the publication reports.

With password crackers quickly figuring out Seals users' credentials, users now face some potentially damaging fraud.

“It's safe to assume that virtually all account holders of Seals with Clubs are Bitcoin users. It's also safe to assume that some percentage of Seals with Clubs players reuse their passwords for other sites or services. That means the people holding the spilled hash cache are sitting on a potentially lucrative list of credentials that could unlock accounts holding huge sums of money,” Ars reports. 

ThreatWatch is a regularly updated catalog of data breaches successfully striking every sector of the globe, as reported by journalists, researchers and the victims themselves.

sector

Entertainment

reported

December 19, 2013

reported by

Ars Technica

number affected

42,000 passwords

location of breach

Unknown

perpetrators

Unknown

location of perpetrators

Unknown

date breach occurred

Before November 2013

date breach detected

Unknown