PRESS RELEASE JUST POSTED ON TWITTER
http://t.co/G9v7LyE1YpMAJOR Bitcoin Poker SITE HACKED (NOT Livebitcoinpoker.com we said MAJOR!!)
We are new but have to acknowledge we already have the greatest players in the world! So let us start out by thanking those few members who really stepped it up and have discovered a huge security flaw on one of our competitor’s servers. This is major and super important to us because we use the same program on the back-end of our site. HankWhite69 helped discover the fix for the server without even knowing it and that’s what got us to digging a little deeper and patching this issue. (at least for our site)
Our main competitor who uses the same back end software was notified 1st by our shared users of this exploit. The competitor did not respond to them. Once word got out (5/25/2013) about other sites having this open exploit it was inevitable that abusive players/hackers would try to use this exploit. Our competitor was hacked on 5/27/2013 and the competitor has chosen NOT! to acknowledge the attack and has not changed the security protocol. This anonymous hacker had tried selling us our competitors users hashed passwords and account information. The user did this by entering a game and demanding to talk to an ADMIN in game. The hacker explained that the hashed password were encrypted by the same exact key we use. (he was right at the time)
We confirmed the hack by one of our player accounts on the competitors site and 3 other users accounts (not associated with LBP) have been comprised with solid proof. (Users who have noticed missing Chips and Deposit wallet swaps) We are not 100% sure who had access but they are working from behind this IP “114.229.211.29″ as we caught them in a sting setup last night. The IP address shows a Chinese backing however upon closer examination and trapping this user into leaving footprints on our DUMMY server we have found out that he is a FOR FIRE HACKER that exploited an open PORT on our competitors website (he tried on ours but it was a dummy server) We believe it could be related to a few irregular open ports that older windows servers need to open in order to function.
We then decided to contact our competitor and let them know they have been hacked and how to solve the problem we did this as a courtesy to the community and got this response back.
“We are aware of this issue, LBP should not be concerned with our security. “
We could not let this go that easily as we share some of the same users so we responded with a little more action.
FROM LBP
“Your security is important to us because we use the same software and a vulnerability on your site could mean the same for ours. The main reason we care is if users from your site logs in to our site with the same credentials and your software gets compromised someone could theoretically use *Competitors site* login credentials on our site if the user uses the same information on both sites. Our passwords are hashed with the same key as yours so even though they are encrypted if that key gets broke everyone is at risk. This flaw is major and is now 100% secure on our end as we have changed our key. This does not solve your security issue.” We gave them the names of 3 compromised accounts given to us as proof of intrusion.
FROM THEM
“Once again our security is not LBP’s concern, if we wanted your help we would ask you. NONE OF OUR PLAYERS PLAY AT LBP and if they do we don’t care it’s worth the risk. Do not message us again there is zero camaraderie between us”
(1 day later they were hacked)
We did not respond to that and realize that our poker community is not what we thought it was. We are friendly in the community and we were expecting the same. We are not as big and have tolerated a lot for being new but this will end soon as our generosity is running thin with abusive networks.
We have since then changed our encryption key. Since all passwords are hashed at registration and before being processed we have asked old users to change their passwords for the new encryption most of them already have and if you haven’t please do.
A reminder to OUR users.
1. Pick a passwords not used on any other site
2. We separate our poker severs, wallets and main site from each other to prevent any disruption.
3. Wallets are not hosted online.
4. Registration credentials are hashed when sent and we no longer use the same key as other sites.
5. We have fast support so if there is an issue let us know AS Soon As It Happens
