Bitcoin online casino Coinroll has warned its customers that their account data may have been compromised.
Late last month, Chris Vickery, a researcher at online security firm MacKeeper, reported discovering an online database containing information from 4,610 Coinroll.com accounts. Softpedia reported that the Coinroll account info was linked to 9.668 Bitcoin wallets.
Vickery reported that the Coinroll database had employed a strong SHA256 cryptographic algorithm to hash the account password strings but the database wasn’t salted with random info, which would have made the passwords nearly impervious to prying eyes. The database also lacked an administrative password, allowing any interested party to download the information.
Last week, Coinroll posted a message to its site alerting customers to the potential breach after receiving reports that some users’ account balances had been stolen. Coinroll insisted that there were only a “few claims” of unauthorized withdrawals but advised all players who’d opened accounts prior to April 7 to change their account passwords.
Coinroll said it had temporarily disabled all withdrawal and deposit functions while it investigated the extent of the breach. The site also said it would take further steps to prevent further shenanigans, including the addition of a two-factor authentication option for withdrawals. On Monday, the site’s chat logs indicate that full deposit and withdrawal functions may be restored by “at least next week, maybe sooner.”
Coinroll marketing and affiliate manager Juan-Samuel Codina Fauteux told Vickery that the database leak was the result of an update to Coinroll’s Ubuntu operating system that unknowingly changed some settings in Ubuntu’s UFW firewall configuration tool. The company is planning a shift from Ubuntu to rival Linux-based OS Fedora to avoid a repeat occurrence of this type. However, the company owned up to the fact that they had neglected to set an administrative password for the database.