An online poker service that deals solely in Bitcoin has issued a mandatory password reset one day after someone published login credentials for more than 42,000 enthusiasts of the card game and digital currency.
An advisory published Thursday by Seals with Clubs warns, “Our database containing user credentials was likely compromised.” Left out is any mention of a list of 42,020 hashes posted to a user forum about 24 hours earlier.
While the person posting didn’t identify the source of the cryptographically salted SHA1 hashes, early rounds of cracking uncovered passwords such as “sealswithclubs”, “88seals88”, “bitcoin1000000”, and “pokerseals”. Password security experts almost immediately suspected that they belonged to Seals with Clubs users. Thursday’s advisory from the site is probably the closest we’ll get to a definite confirmation.
In Wednesday’s post, which was made to a paid password recovery forum operated by commercial password cracking software developer InsidePro, the user StacyM attached a database of hashes and offered $20 in Bitcoins for every 1,000 unique hashes that were cracked. Nine minutes later, the first reply came in, claiming to have recovered the first 1,000. One day in, about two-thirds of the list has been cracked. It wouldn’t be surprising to see that amount reach 80 percent or higher in the coming days.