Quote Originally Posted by PositiveVariance View Post
As far as the verification email to verify the new device being used - After the players realized their accounts had been drained, was the verification email still in their inbox as "new mail"? Or is there a way for the player to retroactively see if the link was clicked?

It wouldn't be to much of a stretch to assume these people also used the same password for their email account as they used for their ACR account since they used it for at least 2 other accounts, assuming a CSA Attack was used.

A side note - You would think modern technology would prevent blasting email and password combinations to a site, even if they used multiple devices. Strange.

As far as the small 3 digit withdrawal, it's possible they came across accounts that had low to no balances during their process and made a list of accounts that were active with regular activity and repeatedly logged into these accounts throughout the day knowing some will eventually get a deposit. When the account had $68 they may have figured it wasn't worth a withdrawal to expose the hack knowing it would eventually get a deposit. Once the player deposited $267, they may have realized that's as good as it would get. It could be a 3rd world country where they are paying someone $20/day to repeatedly log into a list of previously accessed accounts that had were hacked but had low to no balances - They continuously login until they get one where someone made a deposit. Just a theory.

Also, I think there could be a half truth to ACR's explanation that maybe they did have an outside party that accessed accounts with the emails and passwords, then at some point recruited a rogue employee to seam things together. They can "recruit" dishonest employees off sites such as LinkedIn, probably wouldn't take long to find someone that would work with you.

But yeah, overall there is suspicion about ACR's explanation of it being a "Credential Stuffing Attack". Seems like the easiest way to deflect blame.
You raise some good points here, but when I think about the totality of information I have, it just doesn't make sense to be a simple credential stuffing attack by outsiders.

For one, the first guy who reported this on Twitter (the one in the original post of this thread) insists that his Hotmail does not have any logs of strange IPs logging in, and the new device verification e-mail was unopened.

Many others didn't get a new device verification e-mail at all.

If there's any credential stuffing going on, it might be that some clever insider bought a list of e-mail/password combos on the black market, auto-deleted any e-mail which didn't match ACR accounts, and then was able to read or intercept the new device verification link e-mail. That is, it's possible that the paswords on ACR really were securely stored, but the outgoing e-mail queue was not secure, so anyone with server access and a list of bought passwords could probably get into some accounts.

It's very possible that accounts were targeted after they saw some event in the system logs -- a player standing up from a cash table with thousands, winning a tournament, or depositing new funds.

It is unlikely that they were repeatedly logging into accounts to check if they had new deposits, because that wouldn't be worth their time. Most deposits are fairly small. It would be much more effective to simply target the accounts with $5000+ balances, and steal them, while not going after the huge accounts which might be under some kind of review at withdrawal.

I got another update e-mail from yet another victim -- one I haven't mentioned here yet. This guy had about $2200 in his account, but only $2000 was stolen. (Notice the leaving $200 over, just like first-described theft.) He did NOT get a new device e-mail, only the withdrawal e-mail.

He just got back his money yesterday. This was the latest known theft -- Sunday, April 3.

I had him ask for the IP and bitcoin address info regarding the withdrawal, and of course ACR ignored him.