Bitcoin poker site Seals with Clubs has confirmed that its database was compromised, although it failed to mention that it lost 42,020 hashed passwords in the process. The hashes were posted to a forum some 24 hours earlier and needless to say they attracted plenty of people bent on cracking them.
For some reason Seals with Clubs used SHA1 hash functions, which are for all intents and purposes obsolete. Even the latest SHA3 hash is not suitable for passwords and it appears that the site was relying on cryptographic salting to make them more secure, making sure that different hashes would be used even if two users chose the exact same password.
In any case, it did not take long for people to start figuring out some passwords, such as “bitcoin1000000”, “sealswithclubs”, “88seals88” and “pokerseals”. The revealed passwords quickly led security experts to join the dots and conclude that the passwords came from Seals with Clubs users.
On Wednesday, a user posted the database of hashes to a password recovery forum operated by commercial password cracking service InsidePro. The user offered $20 in bitcoins for every set of a thousand unique hashes. It took just nine minutes for the first reply and the first set of 1,000 hashes. Within a day, about two thirds of the list was cracked, reports Ars Technica.
By Thursday, Seals with Clubs was in damage control mode, officially admitting the breach and announcing that it has issued a mandatory password reset. A post on its site read:
The datacenter that we employed up to November permitted unauthorized access to a database server and our database containing user credentials was likely compromised. Passwords were salted and hashed per user, but to be safe every user MUST change their password when they next log in.
Please do so at your earliest opportunity. If your Seals password was used for any other purpose you should reset those passwords too as a precaution.
The site pointed out that it would implement additional security measures, including two-factor authentication and login from a limited number of IP addresses.
This, however, will not address another problem. Since Seals with Clubs is a bitcoin-only service, every account holder is a bitcoin user and there is good chance that at least some of them reused the same password on other bitcoin sites. In other words, some users might be using the exact same password on their exchange accounts or online wallets.
As for Seals with Clubs, it is a relatively small site compared to major Texas Hold’em sites out there. The small team of poker players behind the site chose to remain anonymous and the site was apparently launched after they were sacked. We hope playing poker during office hours had nothing to do with it.