The biggest Bitcoin poker website, SealsWithClubs, had some serious issues this week as their password database was leaked. We spoke to SealsWithClubs chairman Bryan Micon who made some time for us to give a short explanation to what happened.
If you're not familiar with SealsWithClubs or Bryan Micon we suggest you read the following articles. Some of the highest stakes in poker history were played on SealsWithClubs when Bitcoin prices surged, here's that exclusive report.
“We made it pretty full disclosure in the statement on our website. I’m not the technical person and essentially I get briefed from the guys that do know what’s going on. That team came to us and said what happened, after which we printed that as plainly as we could on the site,” Micon started out with.
The statement on the site read as following, published on Thursday December 19th.
The datacenter that we employed up to November permitted unauthorized access to a database server and our database containing user credentials was likely compromised. Passwords were salted and hashed per user, but to be safe every user MUST change their password when they next log in. Please do so at your earliest opportunity. If your Seals password was used for any other purpose you should reset those passwords too as a precaution.
As a response to this occurrence, a top priority is to further put user’s security into their own hands beyond offering two-factor authentication. This includes the ability to permanently lock withdrawal address, locking out the transfer feature, and locking out account access except for a set of IPs (at least one of which must be the currently used IP). Expect to see these features in the near future.
Transfers may be disabled for a short period of time. Thank you very much for your understanding and support during this rough time. We sincerely apologize for any inconvenience or concern this may cause our players.
In a situation like this it’s not uncommon that players panic, have lots of questions and wonder if there’s something going on with their account. Micon said the following about the SealsWithClubs players and how they have not been negatively affected by the recent problems.
“I have a close relationship with a big part of the player base and these are important people to me. Many of those I’ve been friends with for much longer, even from before I started getting involved with SealsWithClubs. They contacted me yesterday, rightfully worried, which I understand, and I explained to them what you could read in that statement,” Micon said.
“We employed a data center until November, but we don’t employ them anymore because of what happened. They permitted unauthorized access to our database server and I don’t think it’s proper from a security standpoint to go deeply into what happened exactly. It’s also not important to the user, we’ve essentially admitted that we got compromised; we’re taking proactive steps and we fired them as soon as we found out. We quickly developed a solution, and when players reset their password it will be on a more secure server. When you reset the password there is nothing to worry about from that point on. Before that there was basically also nothing to worry about, we always treated our players fairly and it’s not something where you always play on SealsWithClubs and all of a sudden all your Bitcoin is gone. We wouldn’t let that happen,” Micon strongly stated.
While certain hackers attempt to gather information to point out leaks in website’s security Micon is convinced that were definitely more to it this time around.
“There was malicious intent here, we found out through the investigation there was a guy that had our old database and wanted to establish passwords to steal Bitcoins. That was definitely the goal relayed to me by the tech team. It looks like our response was in time and that he did not get any. We’re taking security measures and players are going to have to contact us and certain accounts will be locked that meet certain criteria. Players can contact us to verify the account belongs to them and after that we will unlock those accounts again,” Micon said about solving the problems.
“The support inboxes are pretty full right now with questions about this situation and therefor we will lag a little behind our usual quick response time. We are working really hard to get through all of them as soon as possible and to give all our players an adequate response. Things are looking really good though; we have not seen any shady transactions. Responses to this, and if there were any shady transactions, you could just as easily gage those from looking at the TwoPlusTwo and BitcoinTalk threads that would pop up about that,” Micon said.
“There would be people screaming as loud as they can if there were people missing Bitcoin. Poker players are very used to doing that and I think that’s great, that’s how it should be. Those things instantly hold the site accountable and let everybody else know what’s going on if there’s something shady you should know about. That’s information you should have before you decide if you want to play on a site, before you deposit money or keep money on there. So you could see that, but that’s not happening. The response from the team has been good even thought it was a bad error to make,” Micon said.
“I am not at liberty to disclose all that information, but I can say that it’s stored differently. As I understand it’s a far more advanced system, and as I understand it’s something that should’ve been done a long time ago. It’s a gross error on our part and that has been corrected,” Micon admitted.
“We’re trying to be as much as a no bullshit site as possible. This definitely qualifies well within bullshit and we want to eliminate that going forward. All in all, with the way we responded, I think this will not be that terrible. With our response, and assuming there is no widespread damage, I think we will put a positive spin on this eventually,” Micon said confidently.
What I’m wondering though, what were your tech guys working on that was more important than this before it all went sideways as they seem to be able to fix it very quickly?
“Clearly we had our priorities out of order if there was a problem as fundamental as needing to change everyone’s password when it was exposed. We believed we were working on the most important things, strengthening the infrastructure, server side improvements and new games. It’s easy to get caught up in things like wanting to be able to offer Open Faced Chinese poker and Badeucy for Bitcoin. That’s a hot idea and almost sexually arousing to me! It’s wrong, because it shouldn’t be and those ideas can never get in the way of important security measures,” Micon said.
“The technical team is in constant motion and being grown as we speak. Connectivity is the one thing we were always working on throughout 2013 more than anything else. On top of that, with the new platform, come all the new games and bells and whistles. Looking back on 2013 connectivity was our biggest failure,” Micon said as they are constantly working on improving their poker client.