Cyber Incident Victim: TwoPlusTwo
Date:
Dec 2016
Location:
United States of America
Summary
A prominent online poker discussion forum experienced a security breach resulting in the theft of user data, which was subsequently offered for sale online. The intrusion was discovered by a professional poker player who alerted the community via social media and the platform itself after learning of the incident from an associate. Compromised information included email and IP addresses, birthdates, account activity timestamps, and hashed passwords susceptible to potential decryption. Forum operators confirmed unauthorized access to their systems, acknowledging the exposure of sensitive member details.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 1 technique |
| Threat Actors | Type | Location |
|---|---|---|
| 0 actors | Available to members | Available to members |
Description
The TwoPlusTwo poker forum, recognized as the world's largest online poker discussion platform, experienced a cybersecurity breach in late 2016, with the intrusion occurring on or around December 31. The compromise remained undetected until early January 2017, when British poker professional Max Silver identified evidence of the incident. Silver learned about the potential breach through a contact and subsequently verified the theft of user data before publicly disclosing the incident through his Twitter account and directly on the TwoPlusTwo forums. The attackers exfiltrated multiple categories of user information, including registered email addresses, IP addresses associated with accounts, birthdates, last login timestamps, account registration dates, and password hashes. Security analysts noted the hashed passwords were vulnerable to offline cracking attempts with sufficient computational resources, potentially exposing plaintext credentials.
TwoPlusTwo's operators confirmed the breach following Silver's disclosures, acknowledging that stolen data had appeared for sale on underground cybercrime platforms. The exposed personal information created risks of credential-stuffing attacks, phishing campaigns leveraging stolen email addresses, and identity fraud due to the combination of birthdates with other identifiers. The forum did not publicly specify the technical vector of the attack, the number of affected accounts, or whether additional financial data was accessed. No details regarding containment measures, forced password resets, or user notifications were disclosed in available reports. The incident marked at least the second known breach of TwoPlusTwo's systems, highlighting persistent vulnerabilities in safeguarding user data despite prior security incidents.