WPT Amateur Poker League

World Poker Tour’s Play-Money Poker Site Suffers Password Thefts

ScreenHunter_13 Jan. 06 18.49The World Poker Tour may have learned an important lesson in recent days, that being that the security of users’ private information is worth protecting, even if no real-money gambling dollars are at stake.  The servers used to host the WPT’s play-money Amateur Poker League site (wptapl.com) were recently hacked into by person or persons unknown.

That hacking included the theft of the primary user database, which included the e-mail addresses and account passwords for 175,333 players, which is likely the site’s entire player database.

News of the leak was first posted on a hacker forum located in the United Kingdom, suggesting a possible home for the hacker responsible for the theft.  The news was posted in the form of the complete file, with the plain-text passwords and e-mail addresses listed one per line, delimited by a single comma.  Nearly 50,000 of the stolen plain-text passwords contained the same plain-text string, “sdf7asdf6asdg8df”, suggesting its use as default password for all resets submitted to the site.

While the nearly 50,000 accounts with the same password likely included many inactive accounts, the plain-text storage of passwords and e-mail addresses, along with the use of a default, non-random replacement value for lost passwords, suggest that the entire site was created by someone absolutely clueless or indifferent to user security.

Reasons why the site’s theft and public posting were embarrassing to the WPT could be seen in the leaked addresses themselves, which included many well-known government and business domains, from both the US and abroad.  From the US alone, the following governmental domains were noted among the WPTAPL user accounts:

  • dhs.gov — Department of Homeland Security
  • irs.gov — Internal Revenue Service
  • nasa.gov — NASA
  • af.mil — US Air Force
  • army.mil — US Army
  • navy.mil — US Navy
  • usmc.mil — US Marines
  • usdoj.gov — United States Department of Justice
  • uscourts.gov — United States Courts online system

Similar if not-as-frequent accounts appeared from international government agencies in Canada and the UK, the other two nationalities served by the WPT Amateur Poker League site.

The leaked passwords were first reported in a brief piece at CyberWarsNews.info on Saturday, following a brief Twitter post by the presumed hacker on Friday evening.  Several poker media outlets reported receiving no comment or update on the matter, until a brief piece at an online site for IT professionals, SCMagazine.com, reported confirmation on the hacking from WPTAPL CEO Kurt McPhail.

SCMagazine quoted McPhail as stating that only about 50,000 active accounts were compromised, no financial data was stolen (WPTAPL, again, is a play-money site), and that the theft came from an older database.  Said McPhail, “It’s pretty much worthless information.  [Most of] the data they obtained was old.”

Pretty worthless, but not valueless, and it’s a safe bet the 175,000 e-mail addys, publicly posted, have already been pasted into gambling-site spammers’ mailing databases around the globe.  McPhail dismissed the issue by noting that the hackers couldn’t gain entry to the WPTAPL accounts, since the user names themselves were stored separately, but the utter lack of regard for what else could happen to the stolen e-mails serves as a good cautionary lesson for consumers: Even “free” sites can carry small and tangible risks.

McPhail also told SCMagazine that the WPT’s Amateur Poker League is applying patches to fix the problem, though as with most of these episodes, it’s a problem that never needed to occur in the first place.



Leave a Comment



filter by

Dan Katz

29th February 2020 // Uncategorised

Is the Coronavirus a Threat to the 2020 WSOP?

This has been one hell of a week. The coronavirus (COVID-19) is picking up steam globally. World financial markets have...

Dan Katz

26th February 2020 // Uncategorised

Side Bets Available at PokerStars Poker Tables

Poker is gambling. We like to say that it is a game of skill – and it is – but it is also gambling. And that’s...

Dan Katz

17th February 2020 // News, Online Poker Action, Poker Tournaments

World Series of Poker Expands Online Bracelet Schedule to 14 Events

On Thursday, the World Series of Poker released the schedule for this summer’s online bracelet events, to be hosted...

Dan Katz

8th February 2020 // Gossip, News, Online Poker Action

Phil Galfond Down €750,000 to VeniVidi1993 in Galfond Challenge

Look, I don’t typically make a habit of feeling bad when people of means lose money, but oh man, I am starting to get...

Dan Katz

2nd February 2020 // News, Online Poker Action

PokerStars, partypoker Launching Dueling Bounty Tourney Series on Super Bowl Sunday

The year 2020 is already one-twelfth gone. It seems like just yesterday that Larry David was arguing that it was too...

Haley Hintze

31st January 2020 // Misc, News, Poker Tournaments

Coronavirus Outbreak Forces Postponement of Triton Jeju Series

The Triton Super High Roller Series scheduled for mid-Februry in Jeju, South Korea has become the first poker event...