World Poker Tour’s Play-Money Poker Site Suffers Password Thefts
The World Poker Tour may have learned an important lesson in recent days, that being that the security of users’ private information is worth protecting, even if no real-money gambling dollars are at stake. The servers used to host the WPT’s play-money Amateur Poker League site (wptapl.com) were recently hacked into by person or persons unknown.
That hacking included the theft of the primary user database, which included the e-mail addresses and account passwords for 175,333 players, which is likely the site’s entire player database.
News of the leak was first posted on a hacker forum located in the United Kingdom, suggesting a possible home for the hacker responsible for the theft. The news was posted in the form of the complete file, with the plain-text passwords and e-mail addresses listed one per line, delimited by a single comma. Nearly 50,000 of the stolen plain-text passwords contained the same plain-text string, “sdf7asdf6asdg8df”, suggesting its use as default password for all resets submitted to the site.
While the nearly 50,000 accounts with the same password likely included many inactive accounts, the plain-text storage of passwords and e-mail addresses, along with the use of a default, non-random replacement value for lost passwords, suggest that the entire site was created by someone absolutely clueless or indifferent to user security.
Reasons why the site’s theft and public posting were embarrassing to the WPT could be seen in the leaked addresses themselves, which included many well-known government and business domains, from both the US and abroad. From the US alone, the following governmental domains were noted among the WPTAPL user accounts:
- dhs.gov — Department of Homeland Security
- irs.gov — Internal Revenue Service
- nasa.gov — NASA
- af.mil — US Air Force
- army.mil — US Army
- navy.mil — US Navy
- usmc.mil — US Marines
- usdoj.gov — United States Department of Justice
- uscourts.gov — United States Courts online system
Similar if not-as-frequent accounts appeared from international government agencies in Canada and the UK, the other two nationalities served by the WPT Amateur Poker League site.
The leaked passwords were first reported in a brief piece at CyberWarsNews.info on Saturday, following a brief Twitter post by the presumed hacker on Friday evening. Several poker media outlets reported receiving no comment or update on the matter, until a brief piece at an online site for IT professionals, SCMagazine.com, reported confirmation on the hacking from WPTAPL CEO Kurt McPhail.
SCMagazine quoted McPhail as stating that only about 50,000 active accounts were compromised, no financial data was stolen (WPTAPL, again, is a play-money site), and that the theft came from an older database. Said McPhail, “It’s pretty much worthless information. [Most of] the data they obtained was old.”
Pretty worthless, but not valueless, and it’s a safe bet the 175,000 e-mail addys, publicly posted, have already been pasted into gambling-site spammers’ mailing databases around the globe. McPhail dismissed the issue by noting that the hackers couldn’t gain entry to the WPTAPL accounts, since the user names themselves were stored separately, but the utter lack of regard for what else could happen to the stolen e-mails serves as a good cautionary lesson for consumers: Even “free” sites can carry small and tangible risks.
McPhail also told SCMagazine that the WPT’s Amateur Poker League is applying patches to fix the problem, though as with most of these episodes, it’s a problem that never needed to occur in the first place.
COMMENTS