Cyber Incident Victim: Coinroll Bitcoin Casino

On March 30, 2016, MacKeeper security researcher Chris Vickery discovered an unprotected MongoDB database containing sensitive customer data from Coinroll, a Bitcoin casino platform allowing users to wager on dice rolls. The database was publicly accessible over the internet without an administrative password, enabling unauthorized parties to download its contents. It stored information for 4,610 user accounts associated with 9,668 Bitcoin wallets. While passwords were hashed using SHA256, they lacked cryptographic salting – a security oversight that simplified brute-force attacks by allowing attackers to compare hashes against precomputed values of common passwords. Vickery promptly notified Coinroll’s staff about the exposure. The researcher speculated that threat actors could have exploited this vulnerability to steal funds through password hash cracking or direct MongoDB injection attacks against the casino’s systems.

Coinroll acknowledged the security failure, attributing the exposure to an administrative oversight in which they neglected to set a MongoDB password, compounded by a recent Ubuntu update that inadvertently made the database accessible. The company announced plans to migrate its infrastructure to Fedora Linux to prevent similar configuration issues. Following the breach disclosure, Coinroll issued a public statement addressing the incident and initiated refunds to users whose funds were stolen. The exposed database’s contents created significant risk for the 4,610 affected accounts, as unsalted password hashes could be rapidly cracked to gain unauthorized access. This incident highlighted operational security deficiencies in Coinroll’s database management practices, particularly regarding authentication controls and cryptographic protections for stored credentials.