Analysis of UB Database Leak

December 4, 2011

Nobody is surprised when another scandal involving UB or Absolute Poker is announced. They cheated their own customers with superuser accounts that could see people's hole cards. They covered up the cheating after their own players discovered and proved it. They "lost" hand histories pertaining to the cheating. And even after all that, they were found to have very weak data encryption. They finally topped it all off by not having any of the player funds actually on deposit, leaving account holders empty-handed after Black Friday.

When it was revealed that the personal information of most of UB's players found its way onto a shady website, the public response was muted, to say the least. Even though the situation was a pretty serious violation of privacy -- the biggest to ever hit online poker -- most people responded with a collective yawn.

"UB and AP screwed up again? Never saw that one coming!"

However, if you're one of the few like me with real interest in this matter, you'll probably enjoy this blog. And if you're mainly here because you're concerned about how much of your private info has fallen into the wrong hands, perhaps you'll understand the situation a bit better after reading everything here.

Before I begin, I would like to request that you do not contact me with requests for a copy of the leaked data. I made a promise to the person that provided it to me that I wouldn't distribute it. I keep all of my promises, and I can't make any exceptions, because that would be breaking my word. In addition, I don't want to further contribute to the invasion of privacy that has already occurred. Hopefully you will be able to rest a little bit easier after reading this analysis and you'll better understand what is and isn't out there.

So what happened?

Over 150 files appeared in a public area of a shady, affiliate-type website. These files were mostly Excel spreadsheets containing personal information of a lot (but not all) of UB's players. The files were mostly split up by country of origin. Each row of the spreadsheet contained an individual player's information. I will give a more detailed description of the Excel files later in this blog, but here's a quick summary of what was listed:

It is not clear how or why these files ended up on that particular site. It was not an actively used site, nor was the data presented as if it were intentionally put there. In fact, the site itself had zero content. It appears that the public release of the data was accidental, and was probably uploaded by someone who stole the info from within UB (ex-employee?) and was packaging it to sell to spammers and/or online casinos.

It is also not clear how this was found. An anonymous screen name on the 2+2 forums posted the link to these files, but that post was removed (by the author) very quickly. It appears that relatively few people have seen these files, and those that have seem to be doing a good job of keeping it out of the general public's hands -- at least so far.

Here are two articles explaining it in more detail. Neither is 100% correct (I'll get to that shortly), but they do a pretty good job explaining the situation:

Kickass Poker Article
Subject:Poker Article

Note that the leaked information did NOT contain social security numbers, credit card numbers, or bank account numbers. The Excel spreadsheets also do not contain any passwords. While some of the other files are said to have some passwords, these do not appear to be real passwords -- perhaps temporary ones when accounts were started.

Can you explain the Excel spreadsheets?

The Excel spreadsheets are labeled by country. They contain just about every country you can think of, as well as lightly-populated geographic areas such as Antarctica. So were some of the world's top research scientists huddled in a shack on the South Pole, getting ripped off by Russ Hamilton on UB?

Not exactly.

The "country" is only as good as the user providing it. Some users provided bogus countries as a joke, especially if they weren't interested in actually playing real money. For example, one of UB's Antarctica residents lived on 232 Gofuckyourself Street. I assume that's probably in the ghetto of Antarctica, but never having been there, I can't be certain.

Anyway, there's 3.2 million records total, spread over 100 Excel files. There's about 50 fields in each record, and I'll explain each one in detail below. Please note that these are not always consistent. That is, what shows up in column "G" in some files appears in "J" in others. In some of the larger files (such as the USA ones), the format actually changes within the file, as if a few files were merged together at some point. I am listing the format most commonly found, as I'm really just trying to give you an idea of what data is presented.

Furthermore, keep in mind that not all of the players listed are "real". That is, they were from UB's actual player database, but only the ones playing for real money were verified, which allowed Antarcticans on Gofuckyourself Street to join the site and show up in this file. However, this is more of the exception and not the rule, so most of the 3.2 million players listed are actual people with info that was correct at the time.

The fields in the Excel files are as follows (labeled A-BA):

Inaccurate Info in Other Articles

I have a lot of respect for Subject:Poker and what they do, and while I am not familiar with "Kickass Poker", they also wrote a quality article explaining everything. However, there are two important mistakes that I feel that need to be clarified.

First off, both articles claim that only UB accounts are listed, and that accounts signed up through AP are not. THIS IS COMPLETELY FALSE. While I cannot give you the percentage of AP accounts that made it into these files, I have found many, including some of my own.

I had four different accounts on Absolute Poker. Here is how I came to acquire each of them:

VegasPoker247 then fell apart, and AP absorbed them, as they did with Goal Poker. I was forced to choose between Account #3 and #4 -- the only two active accounts I still had there. I went with Account #3, since it had the better table image. They then closed Account #4. This left #3 as my only account remaining on AP.

On UB, I had two accounts (which I'll list as #5 and #6):

When the AP/UB network merger happened (where they called themselves Cereus), my two active accounts were #3 and #5. I did not play on either of them, but they were both active in good standing.

Based upon the above, which ones would you expect to be in the leaked files? Most people would guess either #5 and #6 (since the database was said to only contain UB accounts), or #3 and #5 (since those were the only two left active). However, neither is the case.

The accounts listed in the leaked Excel files are #1, #4, and #5. Most notably absent is #3, which was my only AP account in good standing, and the most active of all my AP accounts. So how did this happen? I have a theory.

Accounts #1 and #4 were the only ones created on AP itself. #2 and #3 were made on AP skins, and eventually merged into the network. Similarly, #5 was created on UB, while #6 was through a skin. Therefore, it looks like this list seems to contain accounts created directly on the flagship sites (AP or UB), and not ones brought into the network through skins.

Keep in mind that Accounts #1 and #4 were never active on the Cereus network. They were closed long before that.

The second error in the articles is the claim that player balances are listed. I can't say for sure that they aren't listed, but I also can't say that they are. There are various numbers scattered through each record's 50 fields, but none are convincingly player balances. Note that no field has a random distribution of cents. That is, these mysterious numeric fields are either all whole numbers (which makes it unlikely to be player balances), or are a mixture of whole numbers and decimals, but the decimals are far too commonly .5, and there are also far more whole numbers than one would expect. Therefore, this casts doubt upon the player balance theory. I don't believe we have enough information at this time to claim that player balances are or aren't in the Excel files. That remains an unknown.

Reasons This Appears to Be the Work of a Careless Spam Salesman

  1. The data was presented in a very disorganized fashion, with no introduction. If someone was distributing this on purpose, they would have presented it more clearly, and wouldn't have left the other internals of their site open for public examination.
  2. The data was organized in a fashion that would appeal to those buying e-mail addresses for purposes of spamming.
  3. Various possible clients for purchasing this data seem to be identified in some of the files. They are not specifically mentioned as clients, but it is a logical conclusion that one can draw from some of the filenames seen.
  4. The person who posted about the data on 2+2 quickly deleted the info, as if they were showing remorse. Someone who intentionally wanted this distributed would not have acted in such a fashion.
  5. The website where the data appeared had a history of being involved with spam.

I believe that an unscrupulous UB employee obtained this data awhile back, and then looked for customers to purchase it. 3.2 million e-mail addresses from a poker site (including personal info and other relevant data) would be quite valuable to other online gaming companies. It is possible that the ex-employee himself uploaded this data and failed to put it in a private area, or he might have sold it to someone else specializing in this sort of thing, who was just inexplicably careless with it. In any case, this seems to be an accident, and not a malicious attempt to harm UB. Let's face it -- their reputation is already about as bad as it could possibly be, so this scandal won't really hurt them!

The person who posted it on 2+2 probably stumbled upon it by accident, posted it to 2+2 for lulz, and then felt bad and deleted it.

Summary

  • The data leak seems to be an unintentional slip-up by a spammer who was trying to sell UB customer info
  • Your social security number, credit card numbers, bank account numbers, and passwords don't seem to be compromised.
  • Your address, phone number, e-mail address, IP address, VIP level, and date of birth are probably in these files.
  • People with access to these files can probably look up your AP/UB screen name and associate it with your real name.
  • Both AP and UB accounts are in these files, but apparently not ones that were registered through skins.
  • It is not clear whether or not player balances are listed in these files.
  • There seem to be some shady codes in these files (such as the weird foreign city / country combo) that have yet to be deciphered.


    Please do not repost this without a link to dandruffpoker.com.

    Return to the useless home page