Analysis of UB Database Leak

Nobody is surprised when another scandal involving UB or Absolute Poker is announced. They cheated their own customers with superuser accounts that could see people's hole cards. They covered up the cheating after their own players discovered and proved it. They "lost" hand histories pertaining to the cheating. And even after all that, they were found to have very weak data encryption. They finally topped it all off by not having any of the player funds actually on deposit, leaving account holders empty-handed after Black Friday.

When it was revealed that the personal information of most of UB's players found its way onto a shady website, the public response was muted, to say the least. Even though the situation was a pretty serious violation of privacy -- the biggest to ever hit online poker -- most people responded with a collective yawn.

"UB and AP screwed up again? Never saw that one coming!"

However, if you're one of the few like me with real interest in this matter, you'll probably enjoy this blog. And if you're mainly here because you're concerned about how much of your private info has fallen into the wrong hands, perhaps you'll understand the situation a bit better after reading everything here.

Before I begin, I would like to request that you do not contact me with requests for a copy of the leaked data. I made a promise to the person that provided it to me that I wouldn't distribute it. I keep all of my promises, and I can't make any exceptions, because that would be breaking my word. In addition, I don't want to further contribute to the invasion of privacy that has already occurred. Hopefully you will be able to rest a little bit easier after reading this analysis and you'll better understand what is and isn't out there.

So what happened?

Over 150 files appeared in a public area of a shady, affiliate-type website. These files were mostly Excel spreadsheets containing personal information of a lot (but not all) of UB's players. The files were mostly split up by country of origin. Each row of the spreadsheet contained an individual player's information. I will give a more detailed description of the Excel files later in this blog, but here's a quick summary of what was listed:

• Screen names
• First and last names
• Full addresses (street, city, state, country, ZIP)
• E-mail addresses
• Phone numbers (for some players, not all)
• IP addresses
• VIP Level, and Blacklist/Chargeback status
• Deposit methods used (for some players, not all)
• Withdrawal methods used (for some players, not all)
• Various numbers that were hard to decipher. These could be player balances, VIP point balances, or many other things used internally.
• Date of signup (for some players, not all)
• Date of birth
• Other weird fields that cannot be explained/deciphered

It is not clear how or why these files ended up on that particular site. It was not an actively used site, nor was the data presented as if it were intentionally put there. In fact, the site itself had zero content. It appears that the public release of the data was accidental, and was probably uploaded by someone who stole the info from within UB (ex-employee?) and was packaging it to sell to spammers and/or online casinos.

It is also not clear how this was found. An anonymous screen name on the 2+2 forums posted the link to these files, but that post was removed (by the author) very quickly. It appears that relatively few people have seen these files, and those that have seem to be doing a good job of keeping it out of the general public's hands -- at least so far.

Here are two articles explaining it in more detail. Neither is 100% correct (I'll get to that shortly), but they do a pretty good job explaining the situation:

Kickass Poker Article
Subject:Poker Article

Note that the leaked information did NOT contain social security numbers, credit card numbers, or bank account numbers. The Excel spreadsheets also do not contain any passwords. While some of the other files are said to have some passwords, these do not appear to be real passwords -- perhaps temporary ones when accounts were started.

Can you explain the Excel spreadsheets?

The Excel spreadsheets are labeled by country. They contain just about every country you can think of, as well as lightly-populated geographic areas such as Antarctica. So were some of the world's top research scientists huddled in a shack on the South Pole, getting ripped off by Russ Hamilton on UB?

Not exactly.

The "country" is only as good as the user providing it. Some users provided bogus countries as a joke, especially if they weren't interested in actually playing real money. For example, one of UB's Antarctica residents lived on 232 Gofuckyourself Street. I assume that's probably in the ghetto of Antarctica, but never having been there, I can't be certain.

Anyway, there's 3.2 million records total, spread over 100 Excel files. There's about 50 fields in each record, and I'll explain each one in detail below. Please note that these are not always consistent. That is, what shows up in column "G" in some files appears in "J" in others. In some of the larger files (such as the USA ones), the format actually changes within the file, as if a few files were merged together at some point. I am listing the format most commonly found, as I'm really just trying to give you an idea of what data is presented.

Furthermore, keep in mind that not all of the players listed are "real". That is, they were from UB's actual player database, but only the ones playing for real money were verified, which allowed Antarcticans on Gofuckyourself Street to join the site and show up in this file. However, this is more of the exception and not the rule, so most of the 3.2 million players listed are actual people with info that was correct at the time.

The fields in the Excel files are as follows (labeled A-BA):

• A: First name
• B: Last name
• C: Country
• D: E-mail
• E: IP address
• F: Presumably internal user ID #, most 7 digits but some have weird values like 0 or 299
• G: Screen name, though some are blank or peculiarly listed as just "Amazones"
• H: Street address
• I: Street address line 2
• J: City
• K: State/Province
• L: ZIP
• M: Another IP address
• N: A timestamp from 11/24/2008 or 11/25/2008. Not sure what this means. Perhaps the time the record was imported into this particular database.
• O and P: Blank
• Q: Some say "UltimateBet", some don't, but there is no clear pattern. It says this for some AP accounts, for example, even if those accounts were blacklisted before the UB/AP merger.
• R: A number, 100000 for most people, higher for some, lower for a few. Might be play money balance.
• S: A number, 0 for most, low (under 1000) for others, and higher (4, 5, or 6 figures) for a few. Part of me thinks this is the real money balance, but the cents are missing, so I'm not sure what to say.
• T: Phone number. Some of the phone numbers listed have been verified.
• U: Seems to be the same as the T field.
• V: A number with two figures after the decimal point. 0 for many, small for some, larger (4-5 figures) for others. Also could be a player balance, but there seem to be too many whole numbers and values ending with .5.
• W: Mostly zero, but in a few cases a small number. Not sure what this is.
• X: Identical to column N
• Y and Z: Blank
• AA: Says "UltimateBet.Com" for everyone
• AB: Seems to be a repeat of the V field
• AC: VIP level, though some are listed as "Blacklist User" or "Chargeback/Refund". From what I can tell, the ones listed as "Chargeback/Refund" are the actual "banned" users, for charging back after depositing. The ones shown as "Blacklist User" seem to be accounts disabled because the user had too many accounts when various failed skins merged back into AP, and the user was forced to choose between his various AP accounts and keep one.
• AD: Blank for some, 0 for a few, small numbers for even fewer
• AE: If AD was blank, AE is blank. Otherwise, it's a number higher than AD, sometimes low, sometimes 4-5 figures. Don't know what this would be. Could be player balanecs, but could also be something else.
• AF: 299 for everyone
• AG: Gender of player
• AH: Some weird whole number, but blank for many. When not blank, the most common values are "2" or "712".
• AI: Blank
• AJ: Seems to be a time value, such as 03:34.4. Most are blank. It's some kind of timer, in the minutes:seconds.tenths format, but I can't tell what it would be. None are over an hour.
• AK: Some list the date the player signed up, others are blank
• AL: Says either "Other" or "Affiliate". I assume this refers to whether or not the player signed up through an affiliate, meaning that the ones listed as "Other" didn't.
• AM: For some, a date in 2009 or 2010 is listed. Most are blank. The significance of the date is unknown.
• AN and AO: These are the weirdest two fields. They list what appears to be a random city in the world, such as "Oulu" / "Finland" (in AN / AO), but these cities/countries have nothing to do with the player. They seem to be all over the world, and in some cases are odd places such as Algeria. Must be a weird code for something that actually has nothing to do with geography.
• AP: Either listed as "Y" or blank. I am assuming the ones with "Y" have permission to do something that the blank ones don't.
• AQ: All are listed as "Y"
• AR: Again a state, perhaps identical to the K field, or perhaps the original state the user signed up from.
• AS, AT, AU: All listed as 0.
• AV: That weird time thing again, similar to AJ, but a different value. Blank for many.
• AW: Apparently lists the ways the user has deposited to the site. For example, one value is "ACH_Dep8+ACH_Dep11+ACH_Dep16+HYPERCRG5", which would appear that the user deposited in 3 different ways using EChecks, and used something else called HyperCharge, as well. No credit card or account numbers are listed here -- only those codes. Blank for many, as would be expected, since most never deposited real money.
• AX: Apparently the withdrawal method. For example, "eptwu_ui", which would seem to mean EPassporte or Western Union (or both?)
• AY, AZ, BA: Mostly blank, but sometimes that weird time value

Inaccurate Info in Other Articles

I have a lot of respect for Subject:Poker and what they do, and while I am not familiar with "Kickass Poker", they also wrote a quality article explaining everything. However, there are two important mistakes that I feel that need to be clarified.

First off, both articles claim that only UB accounts are listed, and that accounts signed up through AP are not. THIS IS COMPLETELY FALSE. While I cannot give you the percentage of AP accounts that made it into these files, I have found many, including some of my own.

I had four different accounts on Absolute Poker. Here is how I came to acquire each of them:

• Account #1 was my original AP account. I did not realize that AP provided rakeback at the time, so I stupidly signed up directly.
• Account #2 was an account I created on a short-lived AP skin called Goal Poker. I made this account because I wanted rakeback, and AP themselves arrogantly refused to give it to me after-the-fact, even though I was a high-raking player. Goal Poker folded, AP paid out their balances, and closed their accounts, including this one.
• Account #3 was an account I created on another skin, called VegasPoker247. Again, I did this to get rakeback. I played a lot on this account, and it won a lot of money, developing a table image that I liked.
• Account #4 was created on AP, and was given rakeback. They allowed me to do this when I heard they were giving away free Aruba tournament packages to their active players, while VegasPoker247 wasn't. They agreed to give me this package if I switched back to AP, and played really actively for a month, which I did. They disabled Account #1 when I created this.

On UB, I had two accounts (which I'll list as #5 and #6):

• Account #5 was my main UB account that I created in 2003.
• Account #6 was my account on the short-lived skin Pokershare, which quickly was forced off the UB network. Player balances were paid, and accounts were closed, including this one.

When the AP/UB network merger happened (where they called themselves Cereus), my two active accounts were #3 and #5. I did not play on either of them, but they were both active in good standing.

Based upon the above, which ones would you expect to be in the leaked files? Most people would guess either #5 and #6 (since the database was said to only contain UB accounts), or #3 and #5 (since those were the only two left active). However, neither is the case.

The accounts listed in the leaked Excel files are #1, #4, and #5. Most notably absent is #3, which was my only AP account in good standing, and the most active of all my AP accounts. So how did this happen? I have a theory.

Accounts #1 and #4 were the only ones created on AP itself. #2 and #3 were made on AP skins, and eventually merged into the network. Similarly, #5 was created on UB, while #6 was through a skin. Therefore, it looks like this list seems to contain accounts created directly on the flagship sites (AP or UB), and not ones brought into the network through skins.

Keep in mind that Accounts #1 and #4 were never active on the Cereus network. They were closed long before that.

The second error in the articles is the claim that player balances are listed. I can't say for sure that they aren't listed, but I also can't say that they are. There are various numbers scattered through each record's 50 fields, but none are convincingly player balances. Note that no field has a random distribution of cents. That is, these mysterious numeric fields are either all whole numbers (which makes it unlikely to be player balances), or are a mixture of whole numbers and decimals, but the decimals are far too commonly .5, and there are also far more whole numbers than one would expect. Therefore, this casts doubt upon the player balance theory. I don't believe we have enough information at this time to claim that player balances are or aren't in the Excel files. That remains an unknown.

Reasons This Appears to Be the Work of a Careless Spam Salesman

1. The data was presented in a very disorganized fashion, with no introduction. If someone was distributing this on purpose, they would have presented it more clearly, and wouldn't have left the other internals of their site open for public examination.
2. The data was organized in a fashion that would appeal to those buying e-mail addresses for purposes of spamming.
3. Various possible clients for purchasing this data seem to be identified in some of the files. They are not specifically mentioned as clients, but it is a logical conclusion that one can draw from some of the filenames seen.
4. The person who posted about the data on 2+2 quickly deleted the info, as if they were showing remorse. Someone who intentionally wanted this distributed would not have acted in such a fashion.
5. The website where the data appeared had a history of being involved with spam.

I believe that an unscrupulous UB employee obtained this data awhile back, and then looked for customers to purchase it. 3.2 million e-mail addresses from a poker site (including personal info and other relevant data) would be quite valuable to other online gaming companies. It is possible that the ex-employee himself uploaded this data and failed to put it in a private area, or he might have sold it to someone else specializing in this sort of thing, who was just inexplicably careless with it. In any case, this seems to be an accident, and not a malicious attempt to harm UB. Let's face it -- their reputation is already about as bad as it could possibly be, so this scandal won't really hurt them!

The person who posted it on 2+2 probably stumbled upon it by accident, posted it to 2+2 for lulz, and then felt bad and deleted it.

Summary