Hacker's hand trying to steal a credit card

PokerTracker Exec Confirms Credit-Card Hack Occurred at Start of 2019

An initial public statement has been made on behalf of PokerTracker online-poker tracking software following the discovery by anti-hacking company MalwareBytes that two domains associated with PokerTracker had been injected with credit card-scraping code. The statement, in the form of a post on the 2+2 discussion forum by Max Value Software, LLC (MVS) managing partner Derek Charles, confirms the discovery of the hack on August 8 while adding details about the hacking incident.

Software UpdateAccording to Charles, the antiquated Drupal open-source content-management script that was exploited by the Magecart attack was removed within an hour of MVS being notified on August 8 of the probable hack. Of course, by that time the damage had been done. Further, a programming audit showed that the hack likely occurred between December 23, 2018 and January 2, 2019, meaning that up to eight months of credit-card purchases of PokerTracker 4 were compromised.

Charles offered a bullet-point synopsis of what his company has uncovered regarding the hack:

  1. This was a highly customized and targeted attack of PokerTracker.com and it’s customers. The script was being loaded from ajaxclick.[com] which has not previously been seen in the wild.
  2. It appears that the attack took place between December 23, 2018 and January 2, 2019.
  3. We believe that the attackers were attempting to intercept credit card information while it was being sent from the user’s browser to the credit card processor. We do not have any information to confirm or deny whether the hackers were able to successfully intercept credit card and/or billing data.
  4. PokerTracker does not save or store any credit card or billing information on our servers. Only those customers who attempted to purchase via credit card while the rogue script was on the site are affected. We estimate that the number of affected customers is in the low thousands and we are in the process of notifying them.
  5. The PokerTracker 4 application and your data within PokerTracker 4 has never been compromised. PokerTracker 4 does load an internal browser for the community page which would have loaded the rogue script but it is not technically possible for the script to gain access to view your data within the PokerTracker application.
  6. We have no reason to believe that your PokerTracker.com username or password were intercepted; however, to be abundantly cautious we recommend changing your password.

The first point needs some clarification. The ajaxclick.(com) site actually hosts numerous credit-card skimmers associated with the Magecart criminal operation. However, most of the other skimmers attack flaws in another and more-popular e-commerce CMS platform, Magento. Drupal vulnerabilities have also been known for years, so “not previously been seen in the wild” is an exact-combination qualification true only in a technical sense.

The length of time the hack was in place will also be of concern to PT4 customers. Charles also posted this: “If you entered your credit card information on the PokerTracker.com website between the dates of December 23, 2018 and August 8, 2019 we will be contacting you to urge you to closely monitor your credit card activity for any fraudulent purchases. If you notice a fraudulent charge, please immediately contact the telephone number on the back of your credit card to notify them of the fraudulent activity.”

However, nearly half of the period for which credit-card info was presumably stolen already falls outside the 120-day window that most major credit-card providers allow for fraud-related chargebacks. Max Value Software has also allowed nearly three more weeks to elapse without issuing formal warnings to affected customers. That translates directly into more transactions that may well have slipped beyond the 120-day recovery window.


Leave a Comment



filter by

Haley Hintze

17th January 2020 // Legal News, Misc, News

Pennsylvania’s Penn National Fined for Poker Tourney Regulatory Misstep

Pennsylvania casino entity Mountainview Thoroughbred Racing Association, LLC, the parent company of the Hollywood...

Haley Hintze

16th January 2020 // Legal News, Misc, News

Failed Australian Poker Backing Deal Results in Lawsuit Against James Hopkins

Another poker story emanating from Australia in recent days is a failed backing deal in which a related team of backers...

Haley Hintze

15th January 2020 // Industry, Legal News, Misc, News

Australian Regulator Orders Blocking of Ignition Casino, Eight Other Sites

Australia’s online poker players have seemingly lost another outlet for playing their game with the news that...

Haley Hintze

14th January 2020 // Misc, News, Poker Tournaments

World Series of Poker Announces 2020 ‘Championship’ Event Slate

The World Series of Poker (WSOP) has continued fleshing out the 2020 WSOP schedule of events. In recent days, after two...

Haley Hintze

11th January 2020 // Industry, Misc, News

Global Poker Awards Announces 2020 Voting Process, Expands Categories

The poker world’s largest celebration of its own, the Global Poker Awards, has announced more details for its...

Dan Katz

11th January 2020 // News, Online Poker Action

It Could Maybe Happen: 25-Cent Pokerstars Spin & Go’s Have a $1 Million Jackpot Chance This Weekend

The great advantage to being a micro- to low-stakes online poker player, as I was when I was able to regularly play...