Large Amounts of Personal Data Leaked from UB (Update: Site down)

December 2, 2011 - 6:54 PM EDT
By

A large amount of personal data about UB players has been leaked. The data, which was posted publicly on the internet, appears to contain information about every player with an account at Ultimate Bet. Subject: Poker estimates that roughly 3.5 million accounts are affected. Accounts on UB’s sister site, Absolute Poker, are not included.

The leaked data includes the following:

  • Full name
  • Screen name
  • E-mail address
  • Phone number
  • Mailing address
  • Account balance
  • IP address
  • Deposit methods used (e.g. “echeck”)
  • Birth date
  • Account number (unique identifier for UB accounts, not bank accounts numbers)
  • VIP status
  • Affiliate status
  • Blacklist status

A link to the data was posted on the Two Plus Two Poker Forums by an anonymous poster who removed the link eight minutes later. This is the only such public posting that we know of, but in that brief time period, enough people saw the link that it is currently being passed around privately.

Subject: Poker confirmed the accuracy of the data against known information. For example, the author’s private information is included and correct (though it is now outdated). We looked up a small number of known accounts, and we were unable to find anyone with a UB account whose personal details were not leaked accurately. It is of course possible that some subset has been removed or altered.

The data is organized by country, with roughly 2 million US accounts, 319,000 Canadian accounts, 137,000 UK accounts, and roughly 1 million accounts from other countries. The data contains over a dozen columns in addition to those listed above, many of which we’ve been unable to identify. Indeed, all the columns are unlabeled, and many are inconsistent. In one spreadsheet, a column that contains IP addresses for some users contains physical addresses for others; in another, a column that contains screen names for some contains account numbers for others.

Financial information other than deposit methods and account balances (such as credit card numbers) does not appear to be included. One file, which appears to contain mostly Italian-speaking players’ information, has a column labeled “Password,” but much of the column itself does not appear to actually be a column of typical passwords.1

It is not clear who leaked this information or why he chose to do so. The domain name and hosting were registered privately, and the website existed for long before the data was leaked. Some of the files themselves offer clues: A few contain small subsets of the full data, suggesting that the leaker may have created samples to show others. We will continue to investigate this aspect of the story.

Absolute Poker and Ultimate Bet, which together used to comprise the third largest online poker network, have been effectively defunct since shortly after the US Department of Justice seized their domains, indicted their principals, and sued for all of their assets on April 15th. Since then, most players have been unable to withdraw any money, while some non-US players have been able to cash out small amounts. On June 13th, we reported that the two sites had only about ten percent of the $54 million that it owes to players. On October 27th, the Kahnawake Gaming Commission, which licenses Cereus, announced that the company that owns the Cereus network intended to liquidate its assets and distribute the proceeds to players. However, it is unclear what assets this company has, and no further news has come from Cereus since.


Subject: Poker would not have posted this information were it not already being spread on the internet. We have contacted the hosting company of the website, and we hope that the information will be removed soon. We advise anyone who has access to this data not to share it with others.


Update 12/3/2011 5:00 PM EST:

The host of the site has responded to our request and disconnected the server which contained the leaked information. It is unclear how many people had access to the data before it was taken down and how much of it was downloaded.

Out of an abundance of caution, Subject: Poker will not reveal the former location of the information at this time, and we suggest that others do the same. We will continue to look into who posted this information and why, and we will cooperate with law enforcement if we are contacted.


Edited on 12/2/2011 8:30 PM EST: Made items in list singular instead of plural to avoid confusion.

Footnotes

  1. Most of the values in the “Passwords” column are six-digit numbers or numbers with the letter O mixed in, e.g. “1o23o4″. A small fraction of the values do look more like typical passwords. Subject: Poker is not sure what these are. Perhaps they are automatically generated passwords, or the column could be mislabeled. It is adjacent to a column labeled “UserName” that is similarly cryptic, including strings with characters that are not legal in UB user names.

Tags: , , ,

«
»

40 Responses to Large Amounts of Personal Data Leaked from UB (Update: Site down)

  1. rapedbyUB
    December 2, 2011 at 7:31 PM EDT

    Thought UB can’t fuck me any harder. I was wrong.

  2. Palikari
    December 2, 2011 at 7:32 PM EDT

    If UB did ever do anything right, then the passwords should be one-way encrypted. Which means easy to encrypt, hard / nearly impossible to decrypt. The server only saves the encrypted pw and can’t decrypt it himself. Even UB wouldnt know the pw.

    • Noah Stephens-Davidowitz
      December 2, 2011 at 7:34 PM EDT

      Right. Hopefully they do do that.

      As I said in the article, we don’t believe that passwords were compromised.

  3. thetrump12
    December 2, 2011 at 7:40 PM EDT

    yeah right u know exactly what a poker player in a position like this would do shove. It is war right now and they know they can get away with murder right now before the jedi pull all money into a poool called protection.. ub they all had a deal and guess what were paying the dues for the learning and the longtime passion we’ve developed in the game. I take it as a waiting experience to look at cake and other networks and realize how good we had it late night mtt’s and why we had it sooooooooooooooooooooooo goood. I am not bashing your site I like you guys. I just don’t like this.

    • Scott
      December 3, 2011 at 4:08 AM EDT

      how many lines did you do before you made this post?

      • nate
        December 4, 2011 at 1:16 AM EDT

        lol

  4. Micon
    December 2, 2011 at 8:28 PM EDT

    The password footnote sounds like they are “salted” or “hashed” passwords, i.e. not stored in plain text. Good chance some1 nerdier than me will know for sure.

    • Noah Stephens-Davidowitz
      December 2, 2011 at 8:29 PM EDT

      I’m nerdier than you. A 6-digit hash function would be absurd.

  5. Marc Leon
    December 2, 2011 at 9:14 PM EDT

    Look at the bright side. Russ Hamilton’s address and phone number is somewhere on the intertubes. ;)

  6. ServerBTest002
    December 2, 2011 at 9:17 PM EDT

    OT: I subscribed to your RSS but this news didn’t arrived :(

  7. chris johnson
    December 2, 2011 at 10:11 PM EDT

    id wager a small sum that NSD leaked the info just to have a story to put on this site seeing as how there have been two several week periods without a single story.

    • Noah Stephens-Davidowitz
      December 3, 2011 at 4:41 AM EDT

      I’ll take that bet….

      • Ryan
        December 5, 2011 at 3:29 AM EDT

        I hope you take that as “we better publish more news to avoid extra conspiracies.”

  8. Philip Quarles
    December 2, 2011 at 10:44 PM EDT

    More bad news: they were planning to sell personal information to a data-mining firm to pay back players. Now that it’s been leaked publicly, the data-mining company won’t pay them anything, and players will be stuck with pennies on the dollar.
    #notintendedtobeafactualstatement

  9. Alex
    December 3, 2011 at 1:38 AM EDT

    Time to start sifting through all those names to try and uncover more goodies for the UB scandal? Or is that just a waste of time from now on because they don’t exist?

  10. renny
    December 3, 2011 at 1:54 AM EDT

    This same thing was reported in a german poker forum last year and UB support did nothing about it.

  11. AfterBroadway
    December 3, 2011 at 8:54 AM EDT

    Anyone keeping a checklist of their various scandals? How many is this now? They are just awful.

  12. Remo
    December 3, 2011 at 11:01 AM EDT

    @philip I don’t think saying they were going to pass onto a data mining is an accurate description

    You can’t take that level of information and sell it on to recoup €/£/$ or handle in a legitimate way
    It’s out there no matter how brief download link was live. Will be sold as “fresh” quickly to highest bidder whether seller involved in UB or not , and then resold and sold

    Spammers delight, and will start in next few days until all contacts burned through

    (speaking from experience – regarding data breaches)

  13. Remo
    December 3, 2011 at 12:15 PM EDT

    oh btw @philip I really have no understanding why you added the #tag to your comment as just illogical either you are saying something or not?

  14. jimsbets
    December 3, 2011 at 12:36 PM EDT

    No ftp info no care
    #intendedtobeafactualstatement

  15. Kevin
    December 3, 2011 at 12:55 PM EDT

    I wonder ‘where’ the info leaked from in terms of a physical location. I thought UB’s servers were with the KGC. If so, such a leak would fall under PIPEDA which is Canadian commercial privacy law.

    The only problem is if the Canadian privacy commissioner looked into it, their rulings are not binding nor enforceable unless a person goes to federal court with it. Most businesses have the common sense ‘not’ to let it get this far, but seeing as UB is basically a defunct company, I don’t think they care. Plus, even if you went to court to sue them over a privacy violation, if they’re broke, it’d cost more to sue them then what you’d get back.

    Pretty shameful though that this amount and detail of information was able to leak.

    • SteppinRazor
      December 3, 2011 at 4:39 PM EDT

      Some random employee looking out for him/herself trying to sell the data seems more likely than the company itself being involved in sharing that information. I can’t think of how it would benefit them

      • Kevin
        December 3, 2011 at 7:07 PM EDT

        The company itself is still responsible though for how it’s information is stored and shared. A person could go after the company, and the company could then go after the person responsible.

        The only problem is the company is broke…so it’s not going to do much good.

        It would be considered a pretty massive breach of privacy by Canadian standards if it did occur from servers at the KGC.

        • Rick
          December 4, 2011 at 11:49 AM EDT

          If you ask Mohawk they are not Canadian they act and tell everyone they are a sovereign territory and don’t have to respect Canadian law.

          • Kevin
            December 4, 2011 at 3:49 PM EDT

            I know what they “say”, but if that were true, then there wouldn’t be the large numbers of first nations people locked up in “Canadian” jails then

            This whole thing’s a real mess because people don’t even know who to blame and hold accountable…and even if they did…hard to say what kind of punitive measures could even be taken

  16. Brendan
    December 3, 2011 at 5:18 PM EDT

    This article (and all reports using this as a source) claims that no AP info was included in the leak. However, Todd Witteles claims to have found 2 of his AP accounts in the leaked database. As far as I can see, both statements cannot be true. Can you please confirm with Druff to see what the deal really is?

  17. Jeremy Crowhurst
    December 4, 2011 at 2:10 AM EDT

    Interesting demographic breakdown — 2M US, 300K Canada, 137K UK, 1M ROW. I wonder if that’s representative of FTP’s demos, and for other current sites (excluding US of course).

  18. Tomas
    December 4, 2011 at 12:10 PM EDT

    About these passwords, it looks like they (whoever posted this database) are in possesion of encrypted passwords and decrypted only those simplest (6char).

    • poti
      December 7, 2011 at 9:42 AM EDT

      Whoever have gotten hold of the db may very well be using John the Ripper (password recovery tool) with password dictionary e.g. http://dazzlepod.com/uniqpass/, to crack the remaining passwords offline.

  19. Asher
    December 4, 2011 at 2:18 PM EDT

    Does a database like this have value to an operational site like Stars, Everleaf, or Cake? Is it possible the author made this post to draw attention to the list in an effort to sell it? In the real world companies pay an absurd amount for specialized micro-targeted data.

  20. Stephen Cobb
    December 8, 2011 at 4:46 PM EDT

    Maybe someone can help me understand the current status of Ultimate Bet. I think the feds seized ultimatebet.com and ub.com but I still see a site that looks live at ub.net. And it has the UB logo. Is this the same company? Does the continued operation of ub.net mean the feds failed to take the obvious step of seizing related domains?

    Any light you can shed appreciated.

    Stephen

    • Noah Stephens-Davidowitz
      December 8, 2011 at 9:05 PM EDT

      The DOJ didn’t seize any .net domains. This isn’t them failing to take an obvious step; its just them not doing something. The .net domains are in theory only for the play money sites, so they’re a bit different legally.

  21. Larry
    December 9, 2011 at 7:02 PM EDT

    Any idea on when any of the US players are going to see their money?

    Keep up the good work SP!

  22. Crist Nasar
    December 10, 2011 at 12:46 PM EDT

    Donde esta la lista?

  23. PlayFair
    February 2, 2012 at 5:25 PM EDT

    What about FTP?
    It seems like personal data leaked from FTP as well.
    My email is compromised, I have a lot of spam from
    gambling sites. Nobody knew this email except FTP.

  24. Whatsapp Poker News
    August 22, 2012 at 11:42 AM EDT

    I find it astonishing that a company with so many members can be so lax about their security as to let somebody access such data so easily. Given the recent Full Tilt Poker problems, and the subsequent implications for internet poker as a whole, I would have thought other companies would have acted more responsibly. At least nobody has had their financial details revealed but that is a minor consolation. New regulation needs to be introduced.

  25. Michael
    September 12, 2012 at 11:48 AM EDT

    It’s terrible how a company as big as this has faults in its security which has led to this

  26. Poker News General
    September 18, 2012 at 12:24 PM EDT

    One simple way to maintain your customers faith in you is to make sure that their details are secure! I hope they learnt from this horrible event.

  27. Michael
    October 3, 2012 at 6:33 AM EDT

    I am gob smacked that a company with so many members can have such terrible security as to let somebody access such data so easily. I hope this doesn’t cause too many issues for the online poker community

  28. http://www.pokerberry.co.uk/
    October 4, 2012 at 6:26 AM EDT

    How can a company as big as this be so careless in regards to its customers details, their is no excuse and I hope those responsible will be punished.

Leave a Reply

Your email address will not be published. Required fields are marked *

*