recommended reading

Threatwatch

Credentials from Bitcoin-paying poker site hacked and sold for – bitcoins

Data dump; Network intrusion; Password cracking; Stolen credentials

Seals with Clubs, which deals only in Bitcoins, published a notice on Dec. 19 stating an undisclosed number of encrypted user passwords have been compromised. Coincidentally, a password-cracking forum just received 42,000 encrypted passwords that, when decrypted, spell out passcodes like “sealswithclubs" and "pokerseals.”

Within the contribution, “which was made to a paid password recovery forum operated by commercial password cracking software developer InsidePro, the user StacyM attached a database of [encrypted passwords] and offered $20 in Bitcoins for every 1,000 unique [passwords] that were cracked,” Ars Technica reports. “One day in, about two-thirds of the list has been cracked. It wouldn't be surprising to see that amount reach 80 percent or higher in the coming days.”

The advisory that Seals published mentions none of the above.

The only reference to what happened during the hack reads, “The datacenter that we employed up to November permitted unauthorized access to a database server and our database containing user credentials was likely compromised.” The rest of the notice tells users to reset their passwords and take other security precautions.

Ars explains why the passwords were so easy to unravel:

“It's unfortunate Seals with Clubs security engineers chose such a poor algorithm to hash [meaning, 'scramble'] its users' passwords,” the publication reports. “SHA1, MD5, and for that matter the recently released SHA3 hash functions are ill-suited to passwords. That's true even when those algorithms are used with cryptographic salt, which makes life much harder on crackers by producing a unique hash even when two or more users choose the same password. The reason SHA1 and their ilk should be taboo is that they're extremely fast and require relatively minimal computing resources to convert plaintext into ‘message digests,’ which is just another name for hashes.”

Ars goes on to say that a better choice would have been PBKDF2 or bcrypt, which are algorithms that were designed to be much slower and more computationally demanding to break. “That buys breached websites and end users time to change passwords before the accounts they protect are compromised,” the publication reports.

With password crackers quickly figuring out Seals users' credentials, users now face some potentially damaging fraud.

“It's safe to assume that virtually all account holders of Seals with Clubs are Bitcoin users. It's also safe to assume that some percentage of Seals with Clubs players reuse their passwords for other sites or services. That means the people holding the spilled hash cache are sitting on a potentially lucrative list of credentials that could unlock accounts holding huge sums of money,” Ars reports. 

ThreatWatch is a regularly updated catalog of data breaches successfully striking every sector of the globe, as reported by journalists, researchers and the victims themselves.

sector

Entertainment

reported

December 19, 2013

reported by

Ars Technica

number affected

42,000 passwords

location of breach

Unknown

perpetrators

Unknown

location of perpetrators

Unknown

date breach occurred

Before November 2013

date breach detected

Unknown

Thank you for subscribing to newsletters from Nextgov.com.
We think these reports might interest you:

  • It’s Time for the Federal Government to Embrace Wireless and Mobility

    The United States has turned a corner on the adoption of mobile phones, tablets and other smart devices, outpacing traditional desktop and laptop sales by a wide margin. This issue brief discusses the state of wireless and mobility in federal government and outlines why now is the time to embrace these technologies in government.

    Download
  • Featured Content from RSA Conference: Dissed by NIST

    Learn more about the latest draft of the U.S. National Institute of Standards and Technology guidance document on authentication and lifecycle management.

    Download
  • A New Security Architecture for Federal Networks

    Federal government networks are under constant attack, and the number of those attacks is increasing. This issue brief discusses today's threats and a new model for the future.

    Download
  • Going Agile:Revolutionizing Federal Digital Services Delivery

    Here’s one indication that times have changed: Harriet Tubman is going to be the next face of the twenty dollar bill. Another sign of change? The way in which the federal government arrived at that decision.

    Download
  • Software-Defined Networking

    So many demands are being placed on federal information technology networks, which must handle vast amounts of data, accommodate voice and video, and cope with a multitude of highly connected devices while keeping government information secure from cyber threats. This issue brief discusses the state of SDN in the federal government and the path forward.

    Download
  • The New IP: Moving Government Agencies Toward the Network of The Future

    Federal IT managers are looking to modernize legacy network infrastructures that are taxed by growing demands from mobile devices, video, vast amounts of data, and more. This issue brief discusses the federal government network landscape, as well as market, financial force drivers for network modernization.

    Download

When you download a report, your information may be shared with the underwriters of that document.