A stronger firewall and a more secure user protection system will be implemented soon, according to the update released last April 11 by the Coinroll staff.
The much needed upgrade of the Bitcoin dice site’s security protocols could not have been timelier after the recent leak of the dice betting site’s user database. The leak was made public by MacKeeper Security Researcher Chris Vickery after stumbling upon a MongoDB database that hold sensitive information about the sites’ member accounts.
Coinroll admitted that some users have already reported losing bitcoins from their account wallets:
“Lately some users claimed theft of their balance on Coinroll. We are aware of that and we’re running full audit and trying to determine if users were compromised or if there was a breach at Coinroll. We are now taking measures to increase security and taking all precautions necessary.”
Reports said Vickery discovered about 4,610 user accounts that are believed to be linked to over 9,668 wallets, thereby putting players at risk of losing bitcoins.
Next step is to strengthen security measures
The Coinroll database leak included the hashed passwords for every account on the list. They used the SHA256 cryptographic algorithm, but skipped the step of adding random data to the SHA256 hash. Opting to salt—the process of adding random data—the hashed password strings will ensure high difficulty, if not impossibility, in cracking them.
As a way to address the risks after the passwords were exposed, the Bitcoin dice site advised its players with an account created before April 7 of this year to contact the support team to request for a password change. Players without a balance left in their account, though, should create a new account to play Bitcoin dice in the future.
Other than the password change, Coinroll also plans to integrate a two-factor authentication option with the withdrawal system to prevent unauthorized cashouts.
Also next to the to-do list is to switch from Ubuntu to Fedora. Juan-Samuel Codina-Fauteux, marketing and affiliate manager at Coinroll, shared that a recent Ubuntu update could be the culprit. The update is believed to have changed certain UFW rules, and this resulted in a weaker or altered security protection of the firewall configuration tool.
The fiasco, however, is not entirely blamed on the Ubuntu update since the Coinroll IT staff failed to secure the MongoDB database with an admin password.
Keeping the damage under control
The Coinroll database leak also prompted the site to temporarily suspend all withdrawals and deposits to give way for the investigation. Bitcoin payments are believed to go back live next week or earlier, once every means to secure the user funds has been done.
Vickery believed that the Bitcoin theft on Coinroll resulted from the possibility that someone had discovered the exposed database online before him and succeeded in cracking the passwords of certain accounts or found a way around the database and opted for a Bitcoin security breach.
Meanwhile, Coinroll cleared that other than the claims of stolen Bitcoin balance, no other accounts and funds have been compromised.