As long as your password is not revealed to a third-party (eg, shared with a service which allows for offline cracking - see haveibeenpwned.com; or identified using a keylogger) and your password is not stupidly obvious (eg, if you won the 2004 WSOP, don't choose '2004wsop') and your email is secure (so that a hacker doesn't have access to your email so they can reset it) you'll be fine.

You probably should use a service such as LastPass or simliar to secure all your passwords, but the discussion here about very complex passwords is just distracting nonsense to the victims who have lost money.

Pretty much all sites need to have minimum 2 FA, but preferably RSA/Google authenticator as standard. Wherever I have virtual money held I demand this as a minimum. Should Stars and other sites insist on all real money players having this as minimum protection? My answer would be Yes. This is pretty much all old hat. I am far more worried about AI and Bot detection as they steal my money in more subtle ways!!!

Thanks Josem, thats some useful info, will be looking into lastpass and that sms thing

When you have multiple stories similar to this:

sirswish:

my stars account got broken into this week, no other accounts of mine have been hacked that i can tell. very strange as i haven't played on stars in over 2 years and that password is a totally unique password that i don't use on any other sites. my rsa did expire in 2015 though

How can you possibly not believe that the password hack was on the Pokerstars' side of the board?

Your password could be 300 characters of indecipherable gobbleygook and it doesn't matter if someone has access to it from Pokerstars side.

It seems pretty clear to me, if these stories are all true, that there was a breach.

Because there's no strong evidence that this is the case.

I recognise that the intellectual rigour of 2p2 has dropped in recent years, but the conspiracy theory that there's some sort of narrowly targeted breach of PokerStars data is nutty. A handful of folks getting their accounts breached is not evidence that a ~100million user database has been hacked.

This simply isn't true. You don't know what you're talking about.

If your password is 300 random characters, and it has been hashed by PokerStars, then it's figuratively impossible for it to be cracked by brute force before the end of human life on earth.

lol

I had my Skrill account hacked and about 6k stolen. They flooded my linked e mail in box with so much spam it filled it and somewhere in between all the spam, which was just a huge mail bomb was the e mail saying my withdrawal had been made. I exhausted the Skrill Appeals process.

It was a unique random hashed password. They got it right first time. The attack originated from an internet access point less than a mile from Skrill’s office which could have been a coincidence. the second log in was where the damage was where done as the first presumably was to get my primary e mail address. And to prepare to move the money quickly.

At the time I appealed to the UK FRA ombudsman. Which Skrill bring based on the UK was covered by.

During my appeal I was doing some research on password hashing by seed. At the the time I found multiple sites with people offering to de hash password databases. Sceptics were offering up partial dbs for these hackers to de hash as proof of ability. Each time they were cracking the hashed examples.As proof of ability and were usually corrrect even with a smallish sample.

The guys wanting the de hashing done usuallly accepted this as proof of ability. Sent the rest of the dB to be dehashed. And the transaction was completed successfully. No idea if hashing by seed is still done in the same way now as it was then. This was a few years ago. No malware/ key loggers etc were found on my computer and nothing else was hacked. It took about 13 months for my case to be reviewed. I won and was awarded a full refund with 9% interest iirc. No idea how it was de hashed or by whom but it was. I conceed that the initial offers may have been from shills. But I doubt the market in dehashing password data bases was that big back then.

Your 300 character example isn’t practical for any internet user. But I do remember password dehashing going on at the time. And the acknowledgement that it was weak and vulnerable and primarily used to prevent low level workers having access to user names’ passwords. And remember someone or multiple people in the company have to know the seed. Things may have changed I’m just recounting a similar experience, that a number of people went through at the samr time on two plus two. There were probably others elsewhere.

My Pokerstars account has been hacked yesterday. Some piece of **** apparently got my password and lost the $850 on my account at NL200 tables to another account. Probably chip dumping. To be fair: My password was quite junk. Still, I found it quite disturbing how quickly Pokerstars made it clear that it wasn't liable itself. The attempt to reverse the hacker's payout process also failed.

Anyway, I wanted to place a warning at this point. Activate the two factor authentication and don't be as stupid as me.

For me that's the end of online poker. For 12 years I've been donking around on stars. I deposited 30 dollars from paysafe cards from the gas station and never looked back. That must have been 2006. Since then I played "successfully" for about impressive 1.30 dollar hourly. In the beginning 10-max sngs, 10NL, some PLO8, later 6-max sngs, 180-tournaments. Nice times back then, stacking everybody with bottom sets. The last years I played only 7 dollars spin-and-gos and managed to do quite well.

Strangely enough, I am almost a little relieved with my "frozen account", not have to play poker anymore. Losing was always more annoying than winning was fun. So I wish everybody luck at the tables.

If this is the wrong forum ... sorry, please move

GG WP

you made $850 over 12 years?

12 years @ the micros...he did you a favor

That sucks, at least you don't have to play on Stars anymore. That site was the **** back in the day, now it's just ****.

No, I cashed out from time to time. But flipping burgers would have been ten times more lucrative.

People with a unique Pokerstars password that gets entered correctly on the first try and none of their other accounts are affected?

This sounds like evidence to me.

I'm not sure if it's a third party who hacked in, or an insider somehow selling or using passwords, but it smells like someone has the passwords to me. Not a keylogger since other accounts were not affected, etc...

I realize I am out of my league discussing security with you so I'll just slink away into the shadows now.

It is theoretically possible that someone has somehow got an extract of the PokerStars password database, somehow run a brute force offline attack against it, and then used that to obtain access to a handful of accounts. I guess it's not impossible, but that's an awfully unlikely chain of events. I imagine that the fair odds of this having happened is something in the order of 1000-1 (or longer).

But PokerStars have previously published that they don't store player passwords in a plain text form. Rather, they're hashed. So for this to all have happened, you need to somehow extract part of the database, and then to run an (offline) brute force attack, and then to use the user's password. If someone has somehow done this, it's a very curious set of facts available to us.

It is far more likely that the victims here have revealed their passwords to the hackers by:
a) inadvertently using the password elsewhere
b) providing their password to some phishing service
c) sharing the password on different services
d) telling their password to a trusted friend or family member
e) falling afoul of a keylogger
f) some other way

If there was some sort of widespread PokerStars database breach:
a) PokerStars would have a legal obligation to notify the victims
b) the victims are much more likely to be people who have boring/common passwords, 'cause they're easier to brute force "de-hash". That is, the victims would be people with passwords like "PASSWORD" rather than "@$F@$%@EMD3ouhd3%^@" because modern offline brute force password cracking tools will try "PASSWORD" before the long and complicated random stuff.
c) There would be thousands (millions?) of victims, not a couple of dozen over several years

There have been multiple long delays in the uk by large companies havin their data bases breached in the last few years. Some come clean right away but many often delay the press release.

Am I right in thinking once you’ve used dehashing software and cracked one password, you have the hashing seed and can dehash the rest? If that’s the case the perpetrators are being very conservative so as not to draw huge attention on themselves, only have small part of the data base or these passwords have been used elsewhere and sold. I’m speaking as a man who had a legit e wallet hacked which had a unique and complex pAssword which the hackers got correct first time. See above. I’m no expert in this field but took more than an active interest when 1/3 of my roll was stolen then immediately moved to another gambling site who refused to reverse the transaction knowing it was fraudulent.

GDPR rules have changed this.

See here: https://ico.org.uk/for-organisations...data-breaches/

No.


Fortunately, that's not the case.

i can't speak about the current events (eg regarding the ddos attacks, b/c i didn't read something recently), but when this thread started, it took only a few month and a security site wrote a piece about a new sort of malware. in the article it was mentioned that the poker community was targeted. basically they attached the virus (or whatever) to cracked versions of PT and HM and of course tons of ppl downloaded it.

it was also mentioned itt, that in general hackers and those who steal the money are not the same persons. we have some people, that write the malware, spread it, collect data and sell it on the black market and then there are people, who buy specific sets of data to make a profit. eg credit cards info or in this case login data for clients.

so the usual "oh, if i would have been hacked, my email account [or fill in something else] would have been breached, too" argument isn't a proof. another thing i read far too often "but i ran my anti-virus software and my laptop is clean" is also misleading. not beating a dead horse, but if a malware is new and well written, no virus scanner will find it. and if you're not familiar with the topic and you don't monitor your software, you won't notice.

i'm not saying every complaint can be brushed away by saying, you downloaded malware and someone sold the login data. i just think the general idea of "oh, it was definitely not my fault" (for every case) seems unlikely. having said that, even it was the user's fault, i think in some cases it's weird, that the attackers could add a new withdraw option and get away with the money.

NerdSuperfly,

I agree with much of what you wrote there (especially including concerns about poker operators allegedly allowing withdrawals to new devices).

Dont trust that email asking for that sort of information from you, seems scammy as hell, esp the email name itself, ive never seen that one before. Contact support yourself through their website. Do not trust emails you get asking you q's while your account pw isnt working. Etc. I could be wrong about this, but it feels fishy to me and I say might as well not risk it and contact stars directly instead of responding to the emails with questions of this nature.

A new post by an outstanding consumer-facing online security account researcher: https://www.troyhunt.com/no-spotify-wasnt-hacked/

It provides some possible explanations for how a user could have their password compromised, and uses the example of Spotify accounts to demonstrate the idea.