Also been massively spammed by gambler XX

I'm a bit of a tech neophyte. I might re ask this in the other thread if this one gets closed.

For starters im not too concern about people getting into my CR account( should I be?). I assume just cause they can get into my CR account they still cant get my credit card info.

I also know that anyone can find different peoples email and IP address if they want.

But just cause someone can find a bunch of Ip and emails, doesn't mean they are good targets to hack. But these hackers obviously know that the emails and Ip address's they have are those of online poker players, who might be good targets to hack.

So given that Ive heard most email accounts are pretty easy for a decent hacker to hack, should I worry about someone targeting my email now, and getting in and perhaps compromising online banking or poker sites I have attached to that email?

Also what about people trying to compromise my home computer now that they have my IP address and know I play online poker?

When the site gets hacked, the hacker normally engages in phishing --- though anyone can do with proper tools. While the login page may look like a carbon copy of the legit page, the passwords are not encrypted when a user enters the password. So it's quite easy for the hacker to get user's IPs and login info.

The only thing to watch out for is spam mails posing as Cardrunners and such. Somebody will be scammed.

confirmed spam mails received also

We've been discussing the "Gambler Joe Blow" spam in the Warning: Cardrunners Customer Info Stolen thread in Internet Poker as well. It appears that spam didn't go to all CR members, and it also went to non-CR members, so I think the jury is out as to whether there is any link.

It seems pretty damn unlikely that the spam is totally unrelated to CR. It's possible that they got two different sites with the same attack (though we haven't heard the attack yet, it could be something as boring as exploiting unsanitized or incorrectly sanitized input). It's possible that CR has more e-mail address than we realize, and maybe even more e-mails than CRjeff realizes (they've been around forever... I'm really surprised that they apparently don't have my e-mail address). It's also possible that the guys who hacked CR used the information they got to get additional e-mails. Maybe they grabbed some important-looking e-mails from the CR database, guessed a security question or two, and got a bunch more e-mails.

The questions I'd like to see answered are:
* Is it the encrypted password, or just the hashes which were compromised?
* If it's the hashes, were they salted
* What's the algorithm employed (and if you say you cannot disclose it for security reasons that means you are incompetent and used a weak algorithm).

Depending on the answers it is either a non-event or gross incompetence on CR part.

To the best of my knowledge, which goes back 3.5 years as a CR employee, the database I search for email addresses encompasses our entire history.

As I stated somewhere or another on here, I also cross checked both our StoxPoker database and in each of the 4-5 cases that I explored, we had no record anywhere.

That being said, as I said (!), I am very ignorant to the tech side of things, so I won't totally discount the possibility that I could be wrong.

Could this be like a Sony thing could they get my Credit card info?

The breach was limited to only those three pieces of information (IP, email, encrypted PW). No financial or payment data was compromised.

This ^^

This happened with a big forum in Ireland about a year ago. Although they didn't have the passwords properly encrypted so it was easy for the hackers to get them.

Everyone was emailed and asked to change the password on other sites if it was the same. Loads of people just ignored it, and their emails were hacked into (if they had the same password) and people were spammed. People who had the same password on poker accounts had their accounts broken into and money stolen (chipdumped into waiting accounts). I know one guy who had 50K taken from his poker account.

So if you use the same password for CR as for other sites, change it now on the other sites now, just to be safe.

So did I but I don't have nor have ever had a CR account. Unrelated ldo.

Lol. They definitely got my e-mail address. Spam city in my mailbox.

Spammed a lot for me too.... obviously its not a coincidence.

Some people without CR account have been also spammed- could our Holdemanager accounts or anything else CR is linked with be also compromised?

As a hacker and general internet douchebag... id politely like u to STFU and talk from your face instead of ur ass. The fact that cc info was properly hidden is MILES AHEAD of 90% of sites... most way bigger then CR. Ive seen shopadmins of many many many sites worldwide, and most dont even encrypt CC info and it just sits there in plain text with CVV. I srsly think there are ppl on 2+2 that wait to just run others into the ground and try and muck up their rep. IMO sounds like they have a decent enough tech guy for their size. Please find me a forum that doesnt store passwords server side, sure some may use MD5, but id be willing to bet 2+2 stores email/pass/ip server side as well...so you should probably do us all a favor and delete ur acc in order to keep ur privacy.

Btw if you are using 1 password for all accounts in your life, you are the idiot not CR... so i dont see how this is a big deal.

for what its worth i hate CR and dont have an acc and never will

Hi Bobo Fett, re your post.

I confirm I have received various spam from the gambler thingy howwever I have received them to two different email addresses.

One is main email which was definately registered with cardrunners, the second is a seperate address I barely use. Now I can't be sure if I registered with cardrunners under the other address, although they haven't sent the standard email so probs not.

The only other email I get on my other address is the 'Poker News Daily' emails. If I'm honest I can't even think of anywhere else I've registered that email with.

Totally depends on how password was encrypted as Noah has said. I hope they were at least salted.

Also, I would recommend everyone changes their passwords on all sites/apps they use if they use that password on any other service. Even if a password is salted + hashed, it's entirely possible (and relatively easy) to brute force all the passwords, or cherry pick lucrative accounts to brute force. A carpet brute force is entirely possible and probably potentially lucrative especially if the hashes weren't generated iteratively.

ive recieved 15 emails in last 2 days that say gambler then list a random persons name is this related?

same w the Gambler thingie, like 15 emails

Ditto on the 'gambler'-spam that suddenly started flooding in yesterday - and on an email-address that I've managed to keep almost spam free for 5+ years that's pretty noticable...

I'm really not an expert on this. I was giving my opinion based on early reports that showed a far bit of inconsistency - CR members that hadn't received spam, and non-CR members that did - that made me wonder if they were necessarily connected. But as more people show up that have never received poker spam before and are now, it seems more likely that the CR hack (and in all likelihood hacks of other sites) are related to the spam.

I recommend using lastpass or a similar solution. Along with their UBikey USB key.
I use it to generate and store a unique password for each site and my passwords can't be used without the hardware.

Lastpass had a minor security breach recently. The way they store the master PW and the fact that I had unique numbers/letter/caps/characters/long password and Ubikey means I know that my details are perfectly safe.

Also set your email address to only send a recovery password to a mobile phone and remove other recovery options a security questions. (This works for gmail anyway)

i got 25 spam emails since 1st of april on that adress, half of which in the last 12 hours from gambler xyz...

5 since yesterday