Americas Cardroom (ACR), the flagship room of the Winning Poker Network (WPN), has confirmed that a limited number of player accounts were breached via an external “credential stuffing” attack last month that successfully accessed several accounts and made (or attempted to make) withdrawals to cryptocurrency accounts such as Bitcoin wallets.
Upon learning of the attacks, ACR quickly reviewed its records searching for players who may have been impacted, and has since issued refunds to all known victims of the attacks, which typically involve attempting large numbers of logins with known username / password combinations that have been used on similar sites.
The situation first emerged three weeks ago on Twitter via posts made by veteran online player “GambleGamble”, who described receiving emails disclosing account access — purportedly by himself — when he had not been playing. GambleGamble subsequently logged on and discovered that nearly $9,000 had been removed from his account.
GambleGamble’s unusual story, which at that time was unverified, gained more exposure via a thread at Todd Witteles’ PokerFraudAlert forums, where such matters are often discussed. Most often, these sorts of allegations turn out to be false reports and rumors, but a handful of tales similar to GambleGamble’s slowly emerged, with a small handful of players being hit, typically, for high-four-digit and low-five-digit sums.
Credential stuffing preys on many players’ personal security weaknesses
“Credential stuffing” attacks rely on users’ own weaknesses in creating weak passwords or on using the same passwords from one site to the next. The attacks can be automated to test large numbers of potentially likely user name and password combinations, many of which have been stolen or purchased on the dark web.
“We recently had a handful of accounts that were susceptible to breach due to a credential stuffing attack,” a company representative said to USPoker’s Sean Chaffin. “We’ve patched this vulnerability and zero player balances were lost.” Patching such vulnerabilities is usually done through adding additional security measures implemented during the login process. Other added protection can include barring certain types of browsers and disallowing the twinned usage of a given email address as a player’s username or account ID.
“These sorts of attacks are all to common in all online environments,” an ACR spokesman told Poker.org directly. “We take them very seriously and work to defend and secure whenever vulnerabilities are identified. All account balances that were affected were given full refunds.”
The ACR spokesman also confirmed that no ACR employees were involved in the hacking, and that rumors and accusations to the contrary were false. “To be clear, this attack was completely from an external third party,” the spokesman stated.