Two Plus Two Publishing LLC
Two Plus Two Publishing LLC
 

Go Back   Two Plus Two Poker Forums > >

Notices

News, Views, and Gossip For poker news, views, and gossip

Reply
 
Thread Tools Display Modes
Old 10-22-2018, 05:44 AM   #901
Josem
human chemical weapon
 
Josem's Avatar
 
Join Date: Jan 2007
Location: Getting Trolled
Posts: 16,727
Re: Many Pokerstars accounts hacked recently, Stars accepts no liability

As long as your password is not revealed to a third-party (eg, shared with a service which allows for offline cracking - see haveibeenpwned.com; or identified using a keylogger) and your password is not stupidly obvious (eg, if you won the 2004 WSOP, don't choose '2004wsop') and your email is secure (so that a hacker doesn't have access to your email so they can reset it) you'll be fine.

You probably should use a service such as LastPass or simliar to secure all your passwords, but the discussion here about very complex passwords is just distracting nonsense to the victims who have lost money.
Josem is offline   Reply With Quote
Old 10-22-2018, 07:10 AM   #902
Inconsiderata
newbie
 
Inconsiderata's Avatar
 
Join Date: Jan 2014
Location: Denver
Posts: 16
Re: Many Pokerstars accounts hacked recently, Stars accepts no liability

Quote:
Originally Posted by Josem View Post
The argument about whether it is better to have have random passwords, or ultra-long phrase passwords is entirely stupid and irrelevant to this thread for a few reasons:

a) The PokerStars password field is not - last time I checked - endless. I think it was limited to 20 characters (I can't check now, but anyone else can do so).

b) The issues of password complexity apply to offline password cracking (where you can run X million attempts a second) not to online password hacking where you have to send each request to the server, and wait for a result. I cannot imagine that you could send even a million request to the PokerStars server, let alone billions, to brute force a PokerStars password in this manner

c) It is all made irrelevant if you use the multi-factor authentication options that PokerStars offers: ideally, the RSA Security Token which was designed and implemented a decade ago, or the more recent SMS Validation. Each will be "good enough" for the meaningful risks that people reading this thread will face
Pretty much all sites need to have minimum 2 FA, but preferably RSA/Google authenticator as standard. Wherever I have virtual money held I demand this as a minimum. Should Stars and other sites insist on all real money players having this as minimum protection? My answer would be Yes. This is pretty much all old hat. I am far more worried about AI and Bot detection as they steal my money in more subtle ways!!!
Inconsiderata is offline   Reply With Quote
Old 10-22-2018, 09:05 PM   #903
wowsooooted
Pooh-Bah
 
wowsooooted's Avatar
 
Join Date: Jan 2013
Location: nearly there
Posts: 4,571
Re: Many Pokerstars accounts hacked recently, Stars accepts no liability

Thanks Josem, thats some useful info, will be looking into lastpass and that sms thing
wowsooooted is offline   Reply With Quote
Old 10-23-2018, 11:14 AM   #904
falldown
veteran
 
Join Date: May 2012
Posts: 2,096
Re: Many Pokerstars accounts hacked recently, Stars accepts no liability

Quote:
Originally Posted by Josem View Post
As long as your password is not revealed to a third-party (eg, shared with a service which allows for offline cracking - see haveibeenpwned.com; or identified using a keylogger) and your password is not stupidly obvious (eg, if you won the 2004 WSOP, don't choose '2004wsop') and your email is secure (so that a hacker doesn't have access to your email so they can reset it) you'll be fine.

You probably should use a service such as LastPass or simliar to secure all your passwords, but the discussion here about very complex passwords is just distracting nonsense to the victims who have lost money.
When you have multiple stories similar to this:

sirswish:

my stars account got broken into this week, no other accounts of mine have been hacked that i can tell. very strange as i haven't played on stars in over 2 years and that password is a totally unique password that i don't use on any other sites. my rsa did expire in 2015 though

How can you possibly not believe that the password hack was on the Pokerstars' side of the board?

Your password could be 300 characters of indecipherable gobbleygook and it doesn't matter if someone has access to it from Pokerstars side.

It seems pretty clear to me, if these stories are all true, that there was a breach.
falldown is offline   Reply With Quote
Old 10-23-2018, 11:40 AM   #905
Josem
human chemical weapon
 
Josem's Avatar
 
Join Date: Jan 2007
Location: Getting Trolled
Posts: 16,727
Re: Many Pokerstars accounts hacked recently, Stars accepts no liability

Quote:
Originally Posted by falldown View Post
How can you possibly not believe that the password hack was on the Pokerstars' side of the board?
Because there's no strong evidence that this is the case.

I recognise that the intellectual rigour of 2p2 has dropped in recent years, but the conspiracy theory that there's some sort of narrowly targeted breach of PokerStars data is nutty. A handful of folks getting their accounts breached is not evidence that a ~100million user database has been hacked.

Quote:
Your password could be 300 characters of indecipherable gobbleygook and it doesn't matter if someone has access to it from Pokerstars side.
This simply isn't true. You don't know what you're talking about.

If your password is 300 random characters, and it has been hashed by PokerStars, then it's figuratively impossible for it to be cracked by brute force before the end of human life on earth.

Quote:
It seems pretty clear to me, if these stories are all true, that there was a breach.
lol
Josem is offline   Reply With Quote
Old 10-26-2018, 12:40 AM   #906
Andyfothershops
old hand
 
Andyfothershops's Avatar
 
Join Date: Oct 2007
Posts: 1,272
Re: Many Pokerstars accounts hacked recently, Stars accepts no liability

Quote:
Originally Posted by Josem View Post
Because there's no strong evidence that this is the case.

I recognise that the intellectual rigour of 2p2 has dropped in recent years, but the conspiracy theory that there's some sort of narrowly targeted breach of PokerStars data is nutty. A handful of folks getting their accounts breached is not evidence that a ~100million user database has been hacked.


This simply isn't true. You don't know what you're talking about.

If your password is 300 random characters, and it has been hashed by PokerStars, then it's figuratively impossible for it to be cracked by brute force before the end of human life on earth.


lol
I had my Skrill account hacked and about 6k stolen. They flooded my linked e mail in box with so much spam it filled it and somewhere in between all the spam, which was just a huge mail bomb was the e mail saying my withdrawal had been made. I exhausted the Skrill Appeals process.

It was a unique random hashed password. They got it right first time. The attack originated from an internet access point less than a mile from Skrillís office which could have been a coincidence. the second log in was where the damage was where done as the first presumably was to get my primary e mail address. And to prepare to move the money quickly.

At the time I appealed to the UK FRA ombudsman. Which Skrill bring based on the UK was covered by.

During my appeal I was doing some research on password hashing by seed. At the the time I found multiple sites with people offering to de hash password databases. Sceptics were offering up partial dbs for these hackers to de hash as proof of ability. Each time they were cracking the hashed examples.As proof of ability and were usually corrrect even with a smallish sample.

The guys wanting the de hashing done usuallly accepted this as proof of ability. Sent the rest of the dB to be dehashed. And the transaction was completed successfully. No idea if hashing by seed is still done in the same way now as it was then. This was a few years ago. No malware/ key loggers etc were found on my computer and nothing else was hacked. It took about 13 months for my case to be reviewed. I won and was awarded a full refund with 9% interest iirc. No idea how it was de hashed or by whom but it was. I conceed that the initial offers may have been from shills. But I doubt the market in dehashing password data bases was that big back then.

Your 300 character example isnít practical for any internet user. But I do remember password dehashing going on at the time. And the acknowledgement that it was weak and vulnerable and primarily used to prevent low level workers having access to user namesí passwords. And remember someone or multiple people in the company have to know the seed. Things may have changed Iím just recounting a similar experience, that a number of people went through at the samr time on two plus two. There were probably others elsewhere.
Andyfothershops is offline   Reply With Quote
Old 10-26-2018, 01:42 PM   #907
Beeblebreed
journeyman
 
Join Date: Feb 2008
Location: Check-raising you in the dark
Posts: 349
Stars-Account hacked - 12 year microstakes-career comes to an end

My Pokerstars account has been hacked yesterday. Some piece of **** apparently got my password and lost the $850 on my account at NL200 tables to another account. Probably chip dumping. To be fair: My password was quite junk. Still, I found it quite disturbing how quickly Pokerstars made it clear that it wasn't liable itself. The attempt to reverse the hacker's payout process also failed.

Anyway, I wanted to place a warning at this point. Activate the two factor authentication and don't be as stupid as me.

For me that's the end of online poker. For 12 years I've been donking around on stars. I deposited 30 dollars from paysafe cards from the gas station and never looked back. That must have been 2006. Since then I played "successfully" for about impressive 1.30 dollar hourly. In the beginning 10-max sngs, 10NL, some PLO8, later 6-max sngs, 180-tournaments. Nice times back then, stacking everybody with bottom sets. The last years I played only 7 dollars spin-and-gos and managed to do quite well.

Strangely enough, I am almost a little relieved with my "frozen account", not have to play poker anymore. Losing was always more annoying than winning was fun. So I wish everybody luck at the tables.

If this is the wrong forum ... sorry, please move
Beeblebreed is offline   Reply With Quote
Old 10-26-2018, 02:07 PM   #908
chasepoker
old hand
 
chasepoker's Avatar
 
Join Date: Jul 2008
Posts: 1,627
Re: Stars-Account hacked - 12 year microstakes-career comes to an end

GG WP
chasepoker is offline   Reply With Quote
Old 10-26-2018, 02:44 PM   #909
Playbig2000
Carpal \'Tunnel
 
Playbig2000's Avatar
 
Join Date: Mar 2008
Location: Suffern, NY; PA, LV
Posts: 7,700
Re: Stars-Account hacked - 12 year microstakes-career comes to an end

you made $850 over 12 years?
Playbig2000 is offline   Reply With Quote
Old 10-26-2018, 02:52 PM   #910
nutella virus
newbie
 
Join Date: Mar 2016
Posts: 19
Re: Stars-Account hacked - 12 year microstakes-career comes to an end

12 years @ the micros...he did you a favor
nutella virus is offline   Reply With Quote
Old 10-26-2018, 03:12 PM   #911
Sir Huntington
old hand
 
Sir Huntington's Avatar
 
Join Date: May 2009
Posts: 1,318
Re: Stars-Account hacked - 12 year microstakes-career comes to an end

That sucks, at least you don't have to play on Stars anymore. That site was the **** back in the day, now it's just ****.
Sir Huntington is offline   Reply With Quote
Old 10-26-2018, 03:28 PM   #912
Beeblebreed
journeyman
 
Join Date: Feb 2008
Location: Check-raising you in the dark
Posts: 349
Re: Stars-Account hacked - 12 year microstakes-career comes to an end

Quote:
Originally Posted by Playbig2000 View Post
you made $850 over 12 years?
No, I cashed out from time to time. But flipping burgers would have been ten times more lucrative.
Beeblebreed is offline   Reply With Quote
Old 10-29-2018, 09:41 AM   #913
falldown
veteran
 
Join Date: May 2012
Posts: 2,096
Re: Many Pokerstars accounts hacked recently, Stars accepts no liability

Quote:
Originally Posted by Josem View Post
Because there's no strong evidence that this is the case.

I recognise that the intellectual rigour of 2p2 has dropped in recent years, but the conspiracy theory that there's some sort of narrowly targeted breach of PokerStars data is nutty. A handful of folks getting their accounts breached is not evidence that a ~100million user database has been hacked.


This simply isn't true. You don't know what you're talking about.

If your password is 300 random characters, and it has been hashed by PokerStars, then it's figuratively impossible for it to be cracked by brute force before the end of human life on earth.


lol
People with a unique Pokerstars password that gets entered correctly on the first try and none of their other accounts are affected?

This sounds like evidence to me.

I'm not sure if it's a third party who hacked in, or an insider somehow selling or using passwords, but it smells like someone has the passwords to me. Not a keylogger since other accounts were not affected, etc...

I realize I am out of my league discussing security with you so I'll just slink away into the shadows now.
falldown is offline   Reply With Quote
Old 10-29-2018, 10:59 AM   #914
Josem
human chemical weapon
 
Josem's Avatar
 
Join Date: Jan 2007
Location: Getting Trolled
Posts: 16,727
Re: Many Pokerstars accounts hacked recently, Stars accepts no liability

Quote:
Originally Posted by falldown View Post
People with a unique Pokerstars password that gets entered correctly on the first try and none of their other accounts are affected?
It is theoretically possible that someone has somehow got an extract of the PokerStars password database, somehow run a brute force offline attack against it, and then used that to obtain access to a handful of accounts. I guess it's not impossible, but that's an awfully unlikely chain of events. I imagine that the fair odds of this having happened is something in the order of 1000-1 (or longer).

Quote:
I'm not sure if it's a third party who hacked in, or an insider somehow selling or using passwords, but it smells like someone has the passwords to me. Not a keylogger since other accounts were not affected, etc...
But PokerStars have previously published that they don't store player passwords in a plain text form. Rather, they're hashed. So for this to all have happened, you need to somehow extract part of the database, and then to run an (offline) brute force attack, and then to use the user's password. If someone has somehow done this, it's a very curious set of facts available to us.

It is far more likely that the victims here have revealed their passwords to the hackers by:
a) inadvertently using the password elsewhere
b) providing their password to some phishing service
c) sharing the password on different services
d) telling their password to a trusted friend or family member
e) falling afoul of a keylogger
f) some other way

If there was some sort of widespread PokerStars database breach:
a) PokerStars would have a legal obligation to notify the victims
b) the victims are much more likely to be people who have boring/common passwords, 'cause they're easier to brute force "de-hash". That is, the victims would be people with passwords like "PASSWORD" rather than "@$F@$%@EMD3ouhd3%^@" because modern offline brute force password cracking tools will try "PASSWORD" before the long and complicated random stuff.
c) There would be thousands (millions?) of victims, not a couple of dozen over several years
Josem is offline   Reply With Quote
Old 10-30-2018, 07:04 AM   #915
Andyfothershops
old hand
 
Andyfothershops's Avatar
 
Join Date: Oct 2007
Posts: 1,272
Re: Many Pokerstars accounts hacked recently, Stars accepts no liability

There have been multiple long delays in the uk by large companies havin their data bases breached in the last few years. Some come clean right away but many often delay the press release.

Am I right in thinking once youíve used dehashing software and cracked one password, you have the hashing seed and can dehash the rest? If thatís the case the perpetrators are being very conservative so as not to draw huge attention on themselves, only have small part of the data base or these passwords have been used elsewhere and sold. Iím speaking as a man who had a legit e wallet hacked which had a unique and complex pAssword which the hackers got correct first time. See above. Iím no expert in this field but took more than an active interest when 1/3 of my roll was stolen then immediately moved to another gambling site who refused to reverse the transaction knowing it was fraudulent.

Last edited by Andyfothershops; 10-30-2018 at 07:23 AM.
Andyfothershops is offline   Reply With Quote
Old 10-30-2018, 08:36 AM   #916
Josem
human chemical weapon
 
Josem's Avatar
 
Join Date: Jan 2007
Location: Getting Trolled
Posts: 16,727
Re: Many Pokerstars accounts hacked recently, Stars accepts no liability

Quote:
Originally Posted by Andyfothershops View Post
There have been multiple long delays in the uk by large companies havin their data bases breached in the last few years. Some come clean right away but many often delay the press release.
GDPR rules have changed this.

See here: https://ico.org.uk/for-organisations...data-breaches/

Quote:
Am I right in thinking once youíve used dehashing software and cracked one password, you have the hashing seed and can dehash the rest?
No.


Quote:
If thatís the case...
Fortunately, that's not the case.
Josem is offline   Reply With Quote
Old 10-31-2018, 03:58 AM   #917
NerdSuperfly
old hand
 
NerdSuperfly's Avatar
 
Join Date: Nov 2010
Location: just shillin', yo
Posts: 1,962
Re: Many Pokerstars accounts hacked recently, Stars accepts no liability

Quote:
Originally Posted by Josem View Post
b) providing their password to some phishing service
i can't speak about the current events (eg regarding the ddos attacks, b/c i didn't read something recently), but when this thread started, it took only a few month and a security site wrote a piece about a new sort of malware. in the article it was mentioned that the poker community was targeted. basically they attached the virus (or whatever) to cracked versions of PT and HM and of course tons of ppl downloaded it.

it was also mentioned itt, that in general hackers and those who steal the money are not the same persons. we have some people, that write the malware, spread it, collect data and sell it on the black market and then there are people, who buy specific sets of data to make a profit. eg credit cards info or in this case login data for clients.

so the usual "oh, if i would have been hacked, my email account [or fill in something else] would have been breached, too" argument isn't a proof. another thing i read far too often "but i ran my anti-virus software and my laptop is clean" is also misleading. not beating a dead horse, but if a malware is new and well written, no virus scanner will find it. and if you're not familiar with the topic and you don't monitor your software, you won't notice.

i'm not saying every complaint can be brushed away by saying, you downloaded malware and someone sold the login data. i just think the general idea of "oh, it was definitely not my fault" (for every case) seems unlikely. having said that, even it was the user's fault, i think in some cases it's weird, that the attackers could add a new withdraw option and get away with the money.
NerdSuperfly is offline   Reply With Quote
Old 10-31-2018, 04:53 AM   #918
Josem
human chemical weapon
 
Josem's Avatar
 
Join Date: Jan 2007
Location: Getting Trolled
Posts: 16,727
Re: Many Pokerstars accounts hacked recently, Stars accepts no liability

NerdSuperfly,

I agree with much of what you wrote there (especially including concerns about poker operators allegedly allowing withdrawals to new devices).
Josem is offline   Reply With Quote
Old 11-01-2018, 07:09 PM   #919
TrueBlue420
banned
 
Join Date: Sep 2018
Posts: 36
Re: Many Pokerstars accounts hacked recently, Stars accepts no liability

Quote:
Originally Posted by sirswish6 View Post
my stars account got broken into this week, no other accounts of mine have been hacked that i can tell. very strange as i haven't played on stars in over 2 years and that password is a totally unique password that i don't use on any other sites. my rsa did expire in 2015 though



Dont trust that email asking for that sort of information from you, seems scammy as hell, esp the email name itself, ive never seen that one before. Contact support yourself through their website. Do not trust emails you get asking you q's while your account pw isnt working. Etc. I could be wrong about this, but it feels fishy to me and I say might as well not risk it and contact stars directly instead of responding to the emails with questions of this nature.
TrueBlue420 is offline   Reply With Quote
Old 01-09-2019, 10:11 AM   #920
Josem
human chemical weapon
 
Josem's Avatar
 
Join Date: Jan 2007
Location: Getting Trolled
Posts: 16,727
Re: Many Pokerstars accounts hacked recently, Stars accepts no liability

A new post by an outstanding consumer-facing online security account researcher: https://www.troyhunt.com/no-spotify-wasnt-hacked/

It provides some possible explanations for how a user could have their password compromised, and uses the example of Spotify accounts to demonstrate the idea.
Josem is offline   Reply With Quote

Reply
      

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off


Forum Jump


All times are GMT -4. The time now is 04:45 PM.


Powered by vBulletin®
Copyright ©2000 - 2019, Jelsoft Enterprises Ltd.
Copyright © 2008-2017, Two Plus Two Interactive
 
 
Poker Players - Streaming Live Online