Saturday, December 03, 2011

Just Conjecturin', Voulme 38: The Sad Case of the UB Data Leaks

Those of you paying attention in recent days have probably been aware of the leaking of approximately 3.5 million names' worth of data from the UB customer databases in recent days, for purposes uncertain but probably connected to the sale of the data for spamming use. The data may have been viewable by the public for as long as two weeks, but only in the last 48 hours or so was its public existence known.

The bad news is that the data was legitimate (although very messy); the good news is that as of earlier today, the business hosting the site finally got around to taking the site offline. The URL of the site won't be published here, and I hope those others that necessarily had access to the site in the course of determining the data authenticity and in getting the site shut down also continue to refrain from publishing it. The reason is simple: While the vast majority of the data on the site was stored in .xls or .csv spreadsheet files, there were a small handful of .txt files that may have been spidered during the time the site's contents were public. Those files, based on my own examination, contained either only e-mail addresses or e-mail addresses plus the related real-life names.

That's still too much. Elsewhere on the now-defunct site there were a handful of spamming tools and the log-in page for a low-end mass-mailing app, sure sign that this was some spammer-wannabe attempts at doing business gone awry.

What data was included? It depended on which file you looked at, but a generalized sampling from a typical file might have supplied the following:

First Name
Last Name
E-mail Address
IP Address (probably from where and when the acct was registered)

7-Digit Account Number (see notes below)
Screen Name
Street Address 1
Street Address 2
Date of Birth

Zip Code
Account Creation Date (see notes below)
(2) seldom-used fields which I believe were used to help flag internal accts; these were blank for about 99% of players

Referral Code (censored, see notes below)
Play Chip Balance (?)
Unknown Field (small whole-number or zero entry for most players)
Phone Number 1
Phone Number 2 (in almost all instances, merely duplicates Phone Number 1)

Real Money Balance 1
Unknown Field (has a non-zero balance only for selected players; it may be a Tournament$ field or something similar)
Account Creation Date (duplicate field)
Original Skin (this is "" for all accounts)

Real Money Balance 2(?) (almost but not always equal to RMB 1)
VIP Account Status (i.e.: Bronze VIP)
(2) fields appearing to be connected to bonus balances
(Probable) Affiliate ID Code -- set to "299" for most old accts.

VIP Points Balance
Time Value, Unknown Purpose (value = minutes/seconds, only shown for a few percent of accounts)
Date Stamp, Unknown Purpose (seems to be a last-logon date, but it's only present for a small percantage of accounts.)
Affiliate/Direct Sign-Up (values are "Affiliate" or "Other")

Then comes a handful of fields of unknown use, excepting one largish field where each player's approved deposit methods are listed, in string form. Here's an example of the entries:

An associated field seems to represent the customer-service worker or supervisor who approved new methods of deposit.

The fields with the "see notes below" need a bit of explanation. There is a strong indication that a lot of the old UltimateBet accounts were rolled over to the new AP/Cereus system en masse, and when that was done, the old UB accounts would have needed new account numbers, so as not to duplicate existing AP accounts. These numbers correspond well to screen names listed in alphabetical order, and the account date creation is also connected, since thousands and thousands of these bear the same dates in November of 2008. It bears all the marks of a batch rollover between the two sites, when they finally merged.

Taken as a whole, the above list represents a ton of info, but the silver lining here is that no password fields seem to be present -- not that there's any reasonable expectation of players ever being able to log in and cash out their Cereus balances anyway. Noah at S:D reported finding what may be hashed (encoded) passwords attached to a small number of accounts in some of the other files, but I haven't found anything yet. I also haven't yet identified anything that I can say for certain is an Absolute Poker account (as opposed to an UltimateBet/ one), despite Todd Witteles' claims, but there's a lot of data here and Todd hasn't shared with anyone yet the specifics of why he believes AP accounts were included.

I will update this post if I find anything more of extreme interest. And yet... there's a reason not only for this post, but for adding it to the "Just Conjecturin'" library.

As I've posted elsewhere, I was able to determine that these files were legitimate because I was able to compare them against other files I've already obtained. People on the forums are acting shocked that these files were out there, but I was already aware that there was mass grab of information in the form of these datafiles done by IDS employees in the last year or so.

One of these other files was already leaked to me, containing the first tens of thousands of accounts ever created at UltimateBet, and it's been of immense value in helping piece together some of the early relationships at UltimateBet and parent company ieLogic.

No, I will not make that file public. Don't even ask.

The thing was, I've known for months that these player files were being pirated around, spirited out of the IDS corporate offices by disgruntled workers, though I'd hear about it second- or third- or fourth-hand. This latest batch of files literally screams "customer service," offering exactly the mix of account info necessary for a call-center or chat-line worker to be able to process an accountholder's typical range of inquiries.

The surprise to me is that people think this is something new, when I already assumed the worst: When AP went belly-up for all real purpose, and stiffed its workers in the process, stuff like this was guaranteed to happen. I've also had little doubt that the AP and UB customer-data files have already been sold off in more traditional manners, time and again, and are a source of at least some of the casino spam which plagues millions of in-boxes on the web. It is what it is.

Most players are just commodities to the online sites. That's the real why and how of it. Your data is secure as long as the site rakes in money, but once the squeeze comes, all bets are off, and anything that can be grabbed and sold is usually fair game.

To those concerned about what information is out there, I understand the problem. I don't like having my phone number out there in these files, nor some of the other information, but there's precious little any of us can do about it. That it is still being trafficked and sold without our permission is inevitable, because that's what info traffickers do.