Quote:
Originally Posted by falldown
People with a unique Pokerstars password that gets entered correctly on the first try and none of their other accounts are affected?
It is theoretically possible that someone has somehow got an extract of the PokerStars password database, somehow run a brute force offline attack against it, and then used that to obtain access to a handful of accounts. I guess it's not impossible, but that's an awfully unlikely chain of events. I imagine that the fair odds of this having happened is something in the order of 1000-1 (or longer).
Quote:
I'm not sure if it's a third party who hacked in, or an insider somehow selling or using passwords, but it smells like someone has the passwords to me. Not a keylogger since other accounts were not affected, etc...
But PokerStars have previously published that they don't store player passwords in a plain text form. Rather, they're hashed. So for this to all have happened, you need to somehow extract part of the database, and then to run an (offline) brute force attack, and then to use the user's password. If someone has somehow done this, it's a very curious set of facts available to us.
It is
far more likely that the victims here have revealed their passwords to the hackers by:
a) inadvertently using the password elsewhere
b) providing their password to some phishing service
c) sharing the password on different services
d) telling their password to a trusted friend or family member
e) falling afoul of a keylogger
f) some other way
If there was some sort of widespread PokerStars database breach:
a) PokerStars would have a legal obligation to notify the victims
b) the victims are much more likely to be people who have boring/common passwords, 'cause they're easier to brute force "de-hash". That is, the victims would be people with passwords like "PASSWORD" rather than "@$F@$%@EMD3ouhd3%^@" because modern offline brute force password cracking tools will try "PASSWORD" before the long and complicated random stuff.
c) There would be thousands (millions?) of victims, not a couple of dozen over several years