Hey guys, remember this story?

I was really gaining traction, until it was drowned out by explosive cheating allegations Ali Imsirovic and Bryn Kenney.

In any case, I believe this has mostly reached a conclusion. I recently got contacted by a guy whose account was breached on April 6 -- the latest known instance of this. However, this is still one day BEFORE they made a public statement about it, and took their mobile app offline.

The mobile app is back now, after about a 2-week hiatus. I have not received reports about any further incidents since April 6. Oddly, a low stakes player victimized for $125 on March 24 claims he was DENIED a refund! I told him to e-mail again, bring up this scandal, and let me know if they still refuse.

It does appear that they most likely closed this vulnerability on April 7, and this probably won't be happening anymore. However, ACR has not been completely truthful about the whole thing, as I've already mentioned.

One thing I have found that is constant among the victims -- they DID use the same passwords on ACR as they did on some other websites. Not a single one told me they had a unique password for ACR. This makes ACR's "credential stuffing attack" claim seem true. However, it ALSO seems that this was done by an insider -- one who likely needed the outside database of hacked passwords in order to make the rest of his plan work.

I will share below my tweets about my recent conclusions:

https://twitter.com/ToddWitteles/status/1518052515459203072

https://twitter.com/ToddWitteles/status/1518053957985177600

https://twitter.com/ToddWitteles/status/1518055206214270977

https://twitter.com/ToddWitteles/status/1518056180026777600

https://twitter.com/ToddWitteles/status/1518060680061980672