Seals Club Logo

The SealsWithClubs Hacking: Passwords Compromised but No Funds Lost

seals_logoNew Bitcoin-based online poker site SealsWithClubs has found itself in the mainstream news headlines due to a hacking attack on a poorly secured data center that was used by SWC until late November as part of its online connectivity.  The bad news is that what was likely the complete listing of encrypted “hashes” of passwords for all users of the site was stolen and publicly published on a hacking forum, but the good news was that, thanks to a two-step storage system involving the actual strings representing the Bitcoins themselves that were on the site, no actual funds appear to be have been stolen.

SealsWithClubs, amid a forthright public apology for some of the technical lapses that allowed the hacking attack to be partly successful, issued a mandatory password re-setting for all of its players.

As reported on ArsTechnica, what appears to have been part of a paid effort to steal Bitcoins from the online accounts of SealsWithClubs users began with a posting on a forum frequented by hackers and run by “commercial password cracking software developer InsidePro,” a user named StacyM posted a database of hashes and promised $20 (a small fraction of a single Bitcoin at today’s rates, for every 1,000 of the encoded passwords that could be hacked.

The responses soon came flowing in, and an abundance of lazily created user passwords {eg: “sealswithclubs” made it clear that the database was in fact a listing of tens of thousands of encrypted SWC passwords.  Further, in addition to the lax security and poor protocols at the unnamed former service provider — which SWC frontman Brian Micon claimed was dumped last month over several different issues, SWC tech and security guys themseleves had made a blunder, in using a fairly simple SHA1 (Secure Hashing Algorithm #1 — which has been insecure since 2010 at the latest) encryption logarithm to encode the early password hashes.

The end result was that the unknown hacker was able to steal the database, though it was akin to breaking through the locked glass window doors of a bank’s drive-through location, after hours: The real money was still locked away in the safe.  The reason for that is because the actual Bitcoin funds used by players at the site, which actually consist of strings of data themselves, were locked away behind a second layer of security that SWC’s Micon termed “cold storage”; having the user passwords alone wasn’t enough to get access to the virtual money.

Yet the hackers in this case appeared to have solved about half the puzzle before being discovered.  Ars Technica rightly chided SealsWithClubs for using the weak security attached to its password encrypting, and SWC itself quickly issued a brief statement.  The statement doesn’t really acknowledge the weak password encryption and places a lot of the blame on the old network administration service from which the database was stolen, but you get the idea:

The datacenter that we employed up to November permitted unauthorized access to a database server and our database containing user credentials was likely compromised. Passwords were salted and hashed per user, but to be safe every user MUST change their password when they next log in. Please do so at your earliest opportunity. If your Seals password was used for any other purpose you should reset those passwords too as a precaution.

As a response to this occurrence, a top priority is to further put user’s security into their own hands beyond offering two-factor authentication. This includes the ability to permanently lock withdrawal address, locking out the transfer feature, and locking out account access except for a set of IPs (at least one of which must be the currently used IP). Expect to see these features in the near future.

Transfers may be disabled for a short period of time. Thank you very much for your understanding and support during this rough time. We sincerely apologize for any inconvenience or concern this may cause our players.

FlushDraw also checked in directly with SealsWithClubs and Bryan Micon for a little bit more on the situation.   When asked specifically if any players had reported thefts from their accounts, Micon responded, “We cannot say with certainty yet but it appears no individual accounts were successfully stolen from.  While Seal Team 6 (our technical team) is still working on this issue, I have not found one report of a player missing their coins.”

Micon was also willing to talk about the high probability that this was an attack against a Bitcoin site, rather than an attack against a poker site specifically.

Said Micon, “All indications appear they were trying to steal Bitcoins.  It is worth noting that player funds were never at risk, as we have a cold storage solution that does not interact with our ‘hot wallet’ system.  It is also worth noting that the group that makes up [SWC’s technical team] takes their jobs very seriously.  We made a terrible error that was compounded by our datacenter’s failure.  We take full responsibility and understand our reputation will take a hit.  We have shifted all efforts towards security.  I hope that players see how we respond to this and other issues we have had in the past.  We strive for honesty and full disclosure without compromising security, and I think we have exhibited that in our reaction.”

As Micon continued, “At this stage I want players to understand that SealsWithClubs is a small group of highly motivated poker players and software engineers that share the vision of doing online poker ‘the right way.’  We are likely to make mistakes at these early stages.  When we do we will always correct them to the best of our ability.  The current database compromise is embarrassing and costly.  We will treat this like all other challenges we have faced and fix it.  We will not let a creative hacker destroy what we have built: instead we will defend this house with all that we have.”

SealsWithClubs was down only briefly as administrative updates were made in connection with the hacking attack, and full player capabilities — minus the player-to-player transfer capabilities — have been restored.


Leave a Comment



filter by

Dan Katz

29th February 2020 // Uncategorised

Is the Coronavirus a Threat to the 2020 WSOP?

This has been one hell of a week. The coronavirus (COVID-19) is picking up steam globally. World financial markets have...

Dan Katz

26th February 2020 // Uncategorised

Side Bets Available at PokerStars Poker Tables

Poker is gambling. We like to say that it is a game of skill – and it is – but it is also gambling. And that’s...

Dan Katz

17th February 2020 // News, Online Poker Action, Poker Tournaments

World Series of Poker Expands Online Bracelet Schedule to 14 Events

On Thursday, the World Series of Poker released the schedule for this summer’s online bracelet events, to be hosted...

Dan Katz

8th February 2020 // Gossip, News, Online Poker Action

Phil Galfond Down €750,000 to VeniVidi1993 in Galfond Challenge

Look, I don’t typically make a habit of feeling bad when people of means lose money, but oh man, I am starting to get...

Dan Katz

2nd February 2020 // News, Online Poker Action

PokerStars, partypoker Launching Dueling Bounty Tourney Series on Super Bowl Sunday

The year 2020 is already one-twelfth gone. It seems like just yesterday that Larry David was arguing that it was too...

Haley Hintze

31st January 2020 // Misc, News, Poker Tournaments

Coronavirus Outbreak Forces Postponement of Triton Jeju Series

The Triton Super High Roller Series scheduled for mid-Februry in Jeju, South Korea has become the first poker event...