recommended reading


Credentials from Bitcoin-paying poker site hacked and sold for – bitcoins

Data dump; Network intrusion; Password cracking; Stolen credentials

Seals with Clubs, which deals only in Bitcoins, published a notice on Dec. 19 stating an undisclosed number of encrypted user passwords have been compromised. Coincidentally, a password-cracking forum just received 42,000 encrypted passwords that, when decrypted, spell out passcodes like “sealswithclubs" and "pokerseals.”

Within the contribution, “which was made to a paid password recovery forum operated by commercial password cracking software developer InsidePro, the user StacyM attached a database of [encrypted passwords] and offered $20 in Bitcoins for every 1,000 unique [passwords] that were cracked,” Ars Technica reports. “One day in, about two-thirds of the list has been cracked. It wouldn't be surprising to see that amount reach 80 percent or higher in the coming days.”

The advisory that Seals published mentions none of the above.

The only reference to what happened during the hack reads, “The datacenter that we employed up to November permitted unauthorized access to a database server and our database containing user credentials was likely compromised.” The rest of the notice tells users to reset their passwords and take other security precautions.

Ars explains why the passwords were so easy to unravel:

“It's unfortunate Seals with Clubs security engineers chose such a poor algorithm to hash [meaning, 'scramble'] its users' passwords,” the publication reports. “SHA1, MD5, and for that matter the recently released SHA3 hash functions are ill-suited to passwords. That's true even when those algorithms are used with cryptographic salt, which makes life much harder on crackers by producing a unique hash even when two or more users choose the same password. The reason SHA1 and their ilk should be taboo is that they're extremely fast and require relatively minimal computing resources to convert plaintext into ‘message digests,’ which is just another name for hashes.”

Ars goes on to say that a better choice would have been PBKDF2 or bcrypt, which are algorithms that were designed to be much slower and more computationally demanding to break. “That buys breached websites and end users time to change passwords before the accounts they protect are compromised,” the publication reports.

With password crackers quickly figuring out Seals users' credentials, users now face some potentially damaging fraud.

“It's safe to assume that virtually all account holders of Seals with Clubs are Bitcoin users. It's also safe to assume that some percentage of Seals with Clubs players reuse their passwords for other sites or services. That means the people holding the spilled hash cache are sitting on a potentially lucrative list of credentials that could unlock accounts holding huge sums of money,” Ars reports. 

ThreatWatch is a regularly updated catalog of data breaches successfully striking every sector of the globe, as reported by journalists, researchers and the victims themselves.




December 19, 2013

reported by

Ars Technica

number affected

42,000 passwords

location of breach




location of perpetrators


date breach occurred

Before November 2013

date breach detected


Thank you for subscribing to newsletters from
We think these reports might interest you:

  • Modernizing IT for Mission Success

    Surveying Federal and Defense Leaders on Priorities and Challenges at the Tactical Edge

  • Communicating Innovation in Federal Government

    Federal Government spending on ‘obsolete technology’ continues to increase. Supporting the twin pillars of improved digital service delivery for citizens on the one hand, and the increasingly optimized and flexible working practices for federal employees on the other, are neither easy nor inexpensive tasks. This whitepaper explores how federal agencies can leverage the value of existing agency technology assets while offering IT leaders the ability to implement the kind of employee productivity, citizen service improvements and security demanded by federal oversight.

  • Effective Ransomware Response

    This whitepaper provides an overview and understanding of ransomware and how to successfully combat it.

  • Forecasting Cloud's Future

    Conversations with Federal, State, and Local Technology Leaders on Cloud-Driven Digital Transformation

  • IT Transformation Trends: Flash Storage as a Strategic IT Asset

    MIT Technology Review: Flash Storage As a Strategic IT Asset For the first time in decades, IT leaders now consider all-flash storage as a strategic IT asset. IT has become a new operating model that enables self-service with high performance, density and resiliency. It also offers the self-service agility of the public cloud combined with the security, performance, and cost-effectiveness of a private cloud. Download this MIT Technology Review paper to learn more about how all-flash storage is transforming the data center.


When you download a report, your information may be shared with the underwriters of that document.