Was PokerStars Hacked? Site says No, Victims say Yes

“Was PokerStars hacked?” That’s the big question on the lips (and fingertips) of millions of online poker players who call PokerStars their virtual home. In the last month, dozens of cases have been reported, stating their accounts were accessed and funds depleted, and the world’s largest online poker site is denying any fault.

The first suspicious activity was reported on Feb 22 by a member of the TwoPlusTwo forums, then elaborated on the evidence in second post, alluding to accusations of PokerStars hacked accounts.

Accusations fly - PokerStars hackedAccording to the victim, someone had accessed their account from a foreign country, requested (and was granted) an increase to the max deposit limit, made multiple deposits from a never-before used credit card, converted 69,000 FPP to $70 cash, registered a never-before used Neteller account, and proceeded to make two instantly-approved withdrawals to that account in the amounts of $800 and $790.

Those are some hefty accusations, and ones the player was able to back-up with more than enough evidence. In the beginning it looked like the victim had either given his password away, or his computer was compromised by malware. However, it wasn’t long before other victims came forward.

On Feb 27, a second player said he suffered an “almost identical” instance of his account at PokerStars hacked. Similarly, this player had a complex password and had never given it out. More analogous reports came pouring in from there.

Then it was confirmed that the alleged hacker in the first incident unsuccessfully tried to access the victims email account just minutes after the PokerStars account was entered, which alludes to the culprit retrieving the email address from the PokerStars account, but having no password to access it. according to the victim, this can only mean that the PokerStars password was not collected by malware, or the hacker would have accessed the email just as easily.

That led to even more suspicion and questions – was PokerStars hacked? And if not, is there an extreme security issue that needs to be addressed?

Each of the dozens of victims who found out their accounts had been hacked over the last month were notified by the same email from PokerStars.

Greetings from PokerStars.

Your account has been frozen as we have determined it was accessed from a foreign location without your knowledge. We have conducted a full investigation into your account and we believe that your PokerStars password may have been compromised.

Our facts to support this are as follows:

The logins to your account show no failed attempts; whoever accessed your account knew your password perfectly.

Computer finger printing technology is utilized by our Security Team in order to determine which computer your account was accessed from. In this case, our investigation concludes that your account was accessed from a foreign computer where no logins were previously detected from. It is therefore possible that your password has been compromised.

With regards to the bankroll in your account, unfortunately we have been unable to recover funds lost.

To conclude this matter, we would like to advise you that PokerStars will not be liable for funds lost on your PokerStars account. PokerStars will not be held liable for any losses as a result of insufficient security measures to ensure that your personal details remain secured. This is in accordance with the sections 10.2 and 10.3 of our Terms of Service which state your responsibilities as an account owner.

 

Essentially, PokerStars said the fault of a compromised password lies solely on the account holder and that they can offer no further help in the matter. Blaming the player might seem like an easy answer, but victims aren’t willing to let the case drop so easily.

Accounts on PokerStars Hacked due to Lax Security?

Was PokerStars hacked due to lax securityFor years, PokerStars has been considered the most reputable and trustworthy online poker room in the world, but some players that may no longer the case. Some players have become certain that the accounts on PokerStars hacked were entirely the fault of the operator’s lax security measures.

Let’s take a look at some more evidence. In most cases, the culprit logged in from a foreign country, or at least hundreds of miles away from the account holder’s regular log-in location, but that never raised a red flag. A never-before used credit card was used to make a deposit, but again, no red flag. A new Neteller account was used to withdrawal; no red flag. Increased deposit limits and multiple purchases were made in a short period of time; no red flag. Multiple withdrawals to never-before used Neteller account; no red flag.

What does it take to raise a red flag to the security team at PokerStars? Hacked account holders would certainly like to know the answer, and Michael Josem, head of PR at PokerStars (and formerly one of the key people responsible unveiling the UltimateBet super-user scandal) finally responded with some answers.

Michael Josem responds to Accusations of PokerStars Hacked

PokerStars’ response on TwoPlusTwo indicated that hacks on the site are actually down since January 2015, and that it’s player awareness that’s on the rise thanks to their recent email notification policy. Josem said that 52% of all attempted hacks were thwarted this year, and that the other 48% resulted in an average loss of $57.09 per victim.

“Going forward, we have two key strategies to further reduce the already-decreasing frequency of accounts being ‘hacked’,” wrote Josem. “We will more actively promote account security enhancements to players to make their account more secure. In addition, we will continue to improve our system for evaluating risky cash-outs. We continually refine our cash-out systems to combat overall fraud trends, and we want to keep the frequency of hacked accounts moving in a downward direction.”

Josem said that the lack of any failed password attempts “strongly suggests that the hackers knew the passwords.” He defended the company by adding, “Because PokerStars follows the best-practice security guidelines for storing passwords, we don’t store a copy of a player’s password that can be decrypted. Thus, we can’t review the strength of passwords of the players who were hacked, and have only limited ability to evaluate how those passwords might have been obtained by the hackers.

“There is no evidence of any misbehaviour by PokerStars insiders in this situation. Because PokerStars passwords are hashed, even if a PokerStars insider were somehow able to gain access to the password database, they would not be able to decrypt a player’s password.”

Players were notified of three ways they can further protect their account information, all of which are available to PokerStars members at their own discretion. They can enable RSA Security Tokens, set up a special PokerStars PIN#, and/or enable SMS Validation.

While many online poker players have historically seen such measures as nuisances, due to the recent outbreak of accounts on PokerStars hacked, any and all members would be well advised to take advantage of these heightened security measures. Members can enable SMS Validation under the ‘Account’ tab, or set up a PokerStars PIN# here.