'Seals With Clubs' Bitcoin Poker Site Hacked, 42,000 Passwords Stolen

Bitcoin poker site Seals with Clubs has confirmed that its database was compromised and 42,000 user passwords were stolen.

AccessTimeIconDec 20, 2013 at 11:45 a.m. UTC
Updated Sep 10, 2021 at 12:05 p.m. UTC
10 Years of Decentralizing the Future
May 29-31, 2024 - Austin, TexasThe biggest and most established global hub for everything crypto, blockchain and Web3.Register Now

Bitcoin poker site Seals with Clubs has confirmed that its database was compromised, although it failed to mention that it lost 42,020 hashed passwords in the process. The hashes were posted to a forum some 24 hours earlier and needless to say they attracted plenty of people bent on cracking them.

For some reason Seals with Clubs used SHA1 hash functions, which are for all intents and purposes obsolete. Even the latest SHA3 hash is not suitable for passwords and it appears that the site was relying on cryptographic salting to make them more secure, making sure that different hashes would be used even if two users chose the exact same password.

In any case, it did not take long for people to start figuring out some passwords, such as “bitcoin1000000”, “sealswithclubs”, “88seals88” and “pokerseals”. The revealed passwords quickly led security experts to join the dots and conclude that the passwords came from Seals with Clubs users.

On Wednesday, a user posted the database of hashes to a password recovery forum operated by commercial password cracking service InsidePro. The user offered $20 in bitcoins for every set of a thousand unique hashes. It took just nine minutes for the first reply and the first set of 1,000 hashes. Within a day, about two thirds of the list was cracked, reports Ars Technica.

By Thursday, Seals with Clubs was in damage control mode, officially admitting the breach and announcing that it has issued a mandatory password reset. A post on its site read:

The datacenter that we employed up to November permitted unauthorized access to a database server and our database containing user credentials was likely compromised. Passwords were salted and hashed per user, but to be safe every user MUST change their password when they next log in.

Please do so at your earliest opportunity. If your Seals password was used for any other purpose you should reset those passwords too as a precaution.

The site pointed out that it would implement additional security measures, including two-factor authentication and login from a limited number of IP addresses.

This, however, will not address another problem. Since Seals with Clubs is a bitcoin-only service, every account holder is a bitcoin user and there is good chance that at least some of them reused the same password on other bitcoin sites. In other words, some users might be using the exact same password on their exchange accounts or online wallets.

As for Seals with Clubs, it is a relatively small site compared to major Texas Hold’em sites out there. The small team of poker players behind the site chose to remain anonymous and the site was apparently launched after they were sacked. We hope playing poker during office hours had nothing to do with it.

Disclosure

Please note that our privacy policy, terms of use, cookies, and do not sell my personal information has been updated.

CoinDesk is an award-winning media outlet that covers the cryptocurrency industry. Its journalists abide by a strict set of editorial policies. In November 2023, CoinDesk was acquired by the Bullish group, owner of Bullish, a regulated, digital assets exchange. The Bullish group is majority-owned by Block.one; both companies have interests in a variety of blockchain and digital asset businesses and significant holdings of digital assets, including bitcoin. CoinDesk operates as an independent subsidiary with an editorial committee to protect journalistic independence. CoinDesk employees, including journalists, may receive options in the Bullish group as part of their compensation.


Learn more about Consensus 2024, CoinDesk's longest-running and most influential event that brings together all sides of crypto, blockchain and Web3. Head to consensus.coindesk.com to register and buy your pass now.