I've gotten the "Gambler" emails to the email addy I used for CR, but I've also gotten the "Gambler" emails to a non-CR addy (in fact, the one I use for 2+2).

I don't use my cr password for anything else. I have changed that one, along with all of my other important passwords. Is this enough? Is it safe to still use the email address associated with cr? Thanks

The things compromised were:

email addy's
encrypted passwords
IP's

That is the list.

I can't guarantee there wasn't another attack on another password for a non CR site, but if you use unique passwords for every account you should have nothing to worry about for any email account.

well if you aren't gonna tell folks what is being used how about answering this bruce schneier quote

"Anyone can invent a security system that he himself cannot break. I've said this so often that Cory Doctorow has named it "Schneier's Law": When someone hands you a security system and says, "I believe this is secure," the first thing you have to ask is, "Who the hell are you?" Show me what you've broken to demonstrate that your assertion of the system's security means something."

I do understand your position of "assume its been taken and just change your password" but i'm sure a lot of people use the same password for a lot of accounts that they may not even remember about and how secure they are makes a big difference in whether they should spend hours digging through registration emails and such trying to remember where they used it.

+1.

They are mixing the dates up. Found one from 4/5/11, but this email address didn't get spam (the throwaway I currently use on CR did). The spam email WASN'T THERE 2 days ago. So, you can't rely on the dates of the emails (of course, spammers are used to that).

BUT, BUT - You can't Win if You don't Spin!!

I am in contact with someone that:

1. Has not ever signed up at CR (we confirmed he is not in our database).
2. Received these emails ~4 weeks ago

We think it's extremely likely that other poker industry sites are compromised in the same way. The solution remains the same -- PLEASE change your passwords.

I use the first, last and mid initial for 2p2, and can confirm I've received nothing but the usual junk - lots of stay at home opportunities lately from CNN and Fox.

Personally, the ONLY emails I've received are related to PTR, Sharkscope, 2 poker sites, CR (not DC or related affiliates). Both these emails (though one was a mistake), are in the Card Runners Database. The 8 yo Yahoo email hasn't received any. My ISP emails (some of which I use for banking, financial NOT related to Poker - though UB has one because its also 8 yo account), does not have any of the Gambler emails.

Just my experience.

+lol

You should just make this a signature for awhile.

my old password was "Jef0luga123" can you please check if mine was one of the ones that was stolen?

So, is there anyway to stop the 'Gambler' Emails?

I'm thinking of just closing my account and updating all of my accounts that are linked to that email to another email.

Anybody know if an email account that forwarded emails to the account that I had registered to CR's and is now receiving the spam would be at risk at all?

I'm getting spam to my PRIMARY e-mail account, an account mostly associated with personal contacts, and only one Poker account.. PokerStars.

The only other relevant contact listed in that e-mail is my Twitter, which although seldom used, follows some poker players.

I am not 100% sure if you are serious or not, but no, there is no way to look anything up by password.

I can't remember my password. Did CArdrunners allow only letters and numbers in passwords or were any symbols allowed

Shouldn't email addresses also be stored in an encrypted format as well as passwords? Then hackers would actually have to break the encryption to send spam as well.

They added new jackpots...Must get to them first.

Re: their password hashing algorithm, I'm confident that it's relatively secure.

I'd like to say that it's completely unbreakable and simply publish the algorithm for people to verify, but that's unfortunately not possible. They used an algorithm that is breakable in theory, but unlikely to be broken in practice. (I'd love to be able to say more, but obviously I'd prefer not to start a public discussion on how to best use compromised information.)

In other words, if you have a CR account, there's no need to panic, but there is sufficient reason to change any passwords that were identical to your CR password. If you're not sure what password you used for CR, just change all your important passwords.

There is also mounting evidence that CR was not the only site affected. Since we don't yet know which other sites were affected, we certainly don't know how secure their data was. So, this would be a good time to change all your passwords and maybe download a program like keepass so that you are no longer vulnerable to such things in the future.

It's fine to come down a little bit hard on CR here, but they are really doing the right thing. If you are a serial password re-user you run the risk of having your password stolen on a site which doesn't even bother to contact how. How many websites do you have accounts on? 50? 100? 900?

Encryption algorithms aside, people should be using unique passwords for anything that is connected with money or reputation. This includes the email accounts that you use to connect to poker/banking sites since some of them still stupidly only require access to email to reset your password.

Checking for any suspicious account activity on your email if you use a web provider is a good idea as well.

E-mails have to be stored in plain text at some point. If they stored hashed e-mails, then e-mail addresses would look something like this: 311ebe3b24409596e04a84e71a540657 . You can't send an e-mail to that address unfortunately (and if you could, there'd be no point in hashing it).

Agree.

Why the secrecy? Security through obscurity doesn't work. CR should tell us exactly what hashing algorithm / salting etc. they used, all this hush-hush is only making matters worse, not better. Proper security is safe even if it is exactly know what the algorithms used are.

Your post makes me think they came up with some kind of home brew hashing algorithm and that's why they think there's any value in not making it public. Is that the reason they are not telling us?

Symbols, but no special characters, were allowed.


Like somebody (noah?) just said, this is not really at all practical. We would be rendered unable to email members or even service their accounts.


Thank you for the help, Noah.