A large amount of personal data about UB players has been leaked. The data, which was posted publicly on the internet, appears to contain information about every player with an account at Ultimate Bet. Subject: Poker estimates that roughly 3.5 million accounts are affected. Accounts on UB’s sister site, Absolute Poker, are not included.
The leaked data includes the following:
- Full name
- Screen name
- E-mail address
- Phone number
- Mailing address
- Account balance
- IP address
- Deposit methods used (e.g. “echeck”)
- Birth date
- Account number (unique identifier for UB accounts, not bank accounts numbers)
- VIP status
- Affiliate status
- Blacklist status
A link to the data was posted on the Two Plus Two Poker Forums by an anonymous poster who removed the link eight minutes later. This is the only such public posting that we know of, but in that brief time period, enough people saw the link that it is currently being passed around privately.
Subject: Poker confirmed the accuracy of the data against known information. For example, the author’s private information is included and correct (though it is now outdated). We looked up a small number of known accounts, and we were unable to find anyone with a UB account whose personal details were not leaked accurately. It is of course possible that some subset has been removed or altered.
The data is organized by country, with roughly 2 million US accounts, 319,000 Canadian accounts, 137,000 UK accounts, and roughly 1 million accounts from other countries. The data contains over a dozen columns in addition to those listed above, many of which we’ve been unable to identify. Indeed, all the columns are unlabeled, and many are inconsistent. In one spreadsheet, a column that contains IP addresses for some users contains physical addresses for others; in another, a column that contains screen names for some contains account numbers for others.
Financial information other than deposit methods and account balances (such as credit card numbers) does not appear to be included. One file, which appears to contain mostly Italian-speaking players’ information, has a column labeled “Password,” but much of the column itself does not appear to actually be a column of typical passwords.1
It is not clear who leaked this information or why he chose to do so. The domain name and hosting were registered privately, and the website existed for long before the data was leaked. Some of the files themselves offer clues: A few contain small subsets of the full data, suggesting that the leaker may have created samples to show others. We will continue to investigate this aspect of the story.
Absolute Poker and Ultimate Bet, which together used to comprise the third largest online poker network, have been effectively defunct since shortly after the US Department of Justice seized their domains, indicted their principals, and sued for all of their assets on April 15th. Since then, most players have been unable to withdraw any money, while some non-US players have been able to cash out small amounts. On June 13th, we reported that the two sites had only about ten percent of the $54 million that it owes to players. On October 27th, the Kahnawake Gaming Commission, which licenses Cereus, announced that the company that owns the Cereus network intended to liquidate its assets and distribute the proceeds to players. However, it is unclear what assets this company has, and no further news has come from Cereus since.
Subject: Poker would not have posted this information were it not already being spread on the internet. We have contacted the hosting company of the website, and we hope that the information will be removed soon. We advise anyone who has access to this data not to share it with others.
Update 12/3/2011 5:00 PM EST:
The host of the site has responded to our request and disconnected the server which contained the leaked information. It is unclear how many people had access to the data before it was taken down and how much of it was downloaded.
Out of an abundance of caution, Subject: Poker will not reveal the former location of the information at this time, and we suggest that others do the same. We will continue to look into who posted this information and why, and we will cooperate with law enforcement if we are contacted.
Edited on 12/2/2011 8:30 PM EST: Made items in list singular instead of plural to avoid confusion.
- Most of the values in the “Passwords” column are six-digit numbers or numbers with the letter O mixed in, e.g. “1o23o4″. A small fraction of the values do look more like typical passwords. Subject: Poker is not sure what these are. Perhaps they are automatically generated passwords, or the column could be mislabeled. It is adjacent to a column labeled “UserName” that is similarly cryptic, including strings with characters that are not legal in UB user names. ↩