Clubbed to death? Bitcoin-only poker site Seals With Clubs leaks 42,000 passwords in attack

An online poker site which did all its cash-ins and cash-outs in Bitcoin has admitted to a data breach in which 42,000 user passwords were stolen – and is instituting emergency measures to prevent the attackers gaining access to the cryptocurrency.

The site immediately initiated a mandatory password reset, and blamed the attack on a datacenter it had employed earlier in the year.

The stolen passwords were encrypted, the site says, and it detailed further security practices which it aimed to put in place immediately. On the site, players used chips worth 1/1000 of a Bitcoin. The site gave no indication that any Bitcoin wallets had beeen breached, or any of the cryptocurrency stolen.

It’s the latest in a string of cyber-heists targeting the currency, with increasing detection of malware built to steal Bitcoin. Within a single week, two sites hosting online wallets for the cryptocurrency Bitcoin were targeted by hackers – the ‘heists’ netted more than $1 million each.

In a statement issued via its site, Seals With Clubs   said, “The datacenter that we employed up to November permitted unauthorized access to a database server and our database containing user credentials was likely compromised.”

“Passwords were salted and hashed per user, but to be safe every user MUST change their password when they next log in. Please do so at your earliest opportunity. If your Seals password was used for any other purpose you should reset those passwords too as a precaution.”

“As a response to this occurrence, a top priority is to further put user’s security into their own hands beyond offering two-factor authentication. This includes the ability to permanently lock withdrawal address, locking out the transfer feature, and locking out account access except for a set of IPs (at least one of which must be the currently used IP). Expect to see these features in the near future.”

Ars Technica, however, were critical of the SHA1 encryption used on the passwords, saying, “Attacks on weaker MD5 algorithm show how devastating a crack could be.   It’s unfortunate Seals with Clubs security engineers chose such a poor algorithm to hash its users’ passwords. As Ars has long explained, SHA1, MD5, and for that matter the recently released SHA3 hash functions are ill-suited to passwords.

Despite a series of heists, and malware built to steal the currency, as well as high-profile law-enforcement actions against ‘dark market’ sites such as Silk Road, which conducted transactions in Bitcoin, the currency’s value has soared throughout the year.

Earlier this year, ESET detected more and more new variants of malware that attempted to steal Bitcoins, mine Bitcoins illegally, or break into wallets.

We Live Security offers a comprehensive guide to using Bitcoin securely here.  ESET’s Robert Lipovsky says, “There are several important rules to keep  Bitcoins safe. The key words here are: back up and encrypt. Bitcoin provides a way to encrypt wallets, and this would make it much more difficult for the attacker to get his hands on the Bitcoins.”


Author , We Live Security

  • Philip Jones

    This is one very unfortunate event I heard in bitcoin gambling. I believe the main problem is on the site. They should’ve used strong cryptographic algorithm to protect users’ password and account security. Attackers are smarter than you think, security engineers should use an SSL technology that hackers cannot encrypt. Guys, if you want a provably fair site—devote some time to research.


Follow us

Copyright © 2017 ESET, All Rights Reserved.