A connection may exist between an Internet-accessible unprotected MongoDB database and the theft of funds from the Bitcoin wallets of several clients of the Coinroll Bitcoin casino.
On March 30, MacKeeper security researcher Chris Vickery says he discovered a MongoDB database holding sensitive information about the customers of Coinroll, a website where users can register and bet small amounts of Bitcoin on the roll of a dice.
Besides being freely available for anyone over the Internet, the database also didn’t have an administrative password, meaning any snooping user could have downloaded its content.
Passwords were hashed, but not salted
Mr. Vickery says he discovered 4,610 Coinroll user accounts, tied to 9,668 Bitcoin wallets, which he reported to Coinroll’s staff.
The problem which Mr. Vicker identified was that the database also exposed the passwords for each account. While all password strings were hashed using a strong SHA256 cryptographic algorithm, they were not salted, which is the process of adding random data to each SHA256 hash, making them near impossible to crack.
This meant that if an attacker got hold of the data, he could compare the SHA256 hashes of common password strings and identify accounts and wallets with