Mainstreet group exposes entire customer base's accounts

**thelawnet** · 8th November 2006, 11:40 PM

The idiots in charge of this casino group have migrated all their accounts from Playtech.

Unfortunately they decided to make the password the same as the username.

Pretty stupid, as you can just login to anyone's random account.

So if you have an account with them you are best to write and ask them to close it, as they are clearly completely clueless.

You can also change any random user's password, here:

Vegas Casino Online Newsletter
Las Vegas USA Casino Change Password

**vinylweatherman** · 9th November 2006, 12:32 AM

Would be nice if they had told current players this had now gone forward, with instructions as to what we should be doing to update our software, and to safeguard our accounts!
I tried going to the website of Sun Palace, but it still claims to be powered by Playtech - so no change. A live chat window pops up, and says "welcome, can we help...." BUT if I try to use it is does NOT WORK - as soon as I click on the message box to type something it does not give focus to my cursor, but corrupts the display of the chat box, it can be refreshed, but then simply sits with "waiting for an operator to respond".

If they have indeed set the passwords to the account number, then for a while all accounts are theoretically compromised. Players have been told that a change of software was going to happen, but have yet to be told what to do about it, or what dates are involved.
My accounts will have to remain theoretically compromised till Main Street, an accredited operation, decide it is time to tell players what we should do, and how we are going to be able to download and access our accounts under the new software - something that needs to be done ASAP to change the password!!!!!!!

**vinylweatherman** · 9th November 2006, 01:32 AM

After posting the above, I have received the mailer with the required links and instructions for securing my account, mainly immediately being able to set the password.

It looks like this is not available on the main site, but is accessed from a link in the mailers to existing players.
I now await the corresponding mailers for my other two accounts.
I would like to know whether the original poster's fears about a security breach were founded.

Although account numbers are not in the public domain (probably?), the way this changeover was implemented could enable a quick witted hacker the opportunity to gain access to a dormant account(s). I trust that additional measures have been thought up to ensure that access under the new software is only available to the original player from the location and PC they last used to play.

I would have preferred a change to Microgaming, RTG casinos tend to have more problems around bonuses and promotions. Current players seem to be offered quite a large $500 bonus for the first deposit under RTG - I hope not to find nasty "max cashout" terms as are often found with the generous RTG offerings. RTG software does at least have a function to show achieved playthrough on a bonus, something which Playtech lacked.

**The Watchdog** · 9th November 2006, 09:04 AM

I am sure that was taken care off... At least if what that guy states is true, is not easy to spot a funded account from an entire database and harm it.

Plus, you must be really fucked up to do so and start typing accounts

I am sure Mainstreet's team take all the measures for customer accounts to be securely merged.

Vynil, I am also concerned why they didn't considered Microgaming. I think Microgaming has banned a lot of states, so it was not good for business.

If RTG is increasing their business, I am sure several upgrades and improvements will take place in the upcoming months...

If Playtech's or Microgaming's programming or design departments have suffered staff lay offs, I would be looking for them if I was RTG's board of directors...

**AussieDave** · 9th November 2006, 12:19 PM

Originally Posted by The Watchdog

If Playtech's or Microgaming's programming or design departments have suffered staff lay offs, I would be looking for them if I was RTG's board of directors...

**thelawnet** · 9th November 2006, 03:29 PM

Originally Posted by The Watchdog

I am sure that was taken care off... At least if what that guy states is true, is not easy to spot a funded account from an entire database and harm it.

Plus, you must be really fucked up to do so and start typing accounts

you'd also have to be quite fucked up if they accidentally exposed people's credit card numbers to use them.

That doesn't make it a good idea for them to give them out though does it.

THe whole point of security is to protect against bad people.

In any case it is extremely easy to guess account numbers, as they all follow the same format - consecutively numbered accounts. So anyone could login and change dozens of accounts'
passwords.

Finally a criminal could probably easily find a funded account - plenty of people post their account numbers on message boards, not thinking the casino will be dumb enough to expose everyone's password. Or he could just keep trying accounts till he found a good one - it wouldn't take long.

A casino group that is prepared to do this (and note there's no requirement to change your pasword when you first login, and as a result many people won't) quite simply is not fit to handle deposits and is quite possibly breaking the merchant account rules, and certainly is acting negligently - if a player had somone login to his account and steal the funds, the casino would be at fault.

**Casinomeister** · 9th November 2006, 03:48 PM

Originally Posted by thelawnet

..In any case it is extremely easy to guess account numbers...

Okay, what's mine?

It's not like this was published through out the entire world wide web. These instructions were emailed to each player. Now if you had access to my email, then you'd be able to access my account. You don't so you won't.

If any problems arise from this (and perhaps there might be some), then I'm sure the operators will look into this in detail. And I'd welcome anybody to post here or PAB if they fall victim to unscrupulous activity because of this. We need to know if anything was screwed up. Bring it on.

**AussieDave** · 9th November 2006, 03:53 PM

Probably an other good example why you should never publically post your account ID or number.

**thelawnet** · 9th November 2006, 08:06 PM

Originally Posted by Casinomeister

Okay, what's mine?

It's not like this was published through out the entire world wide web. These instructions were emailed to each player. Now if you had access to my email, then you'd be able to access my account. You don't so you won't.

.

I didn't say it was easy to guess a specific account, I said it was easy to guess accounts. If your username is XXX49849, then you could try XXX49850, XXX49851, etc. And anyway, only emailing instructions to players doesn't mean anything when the instructions are exactly the same for everybody.

There's nothing to stop you sitting there all day till you find an account with money in. I'm not sure how this can be acceptable.

**spearmaster** · 9th November 2006, 09:28 PM

thelawnet's right - this is a huge security risk.

I don't need to access CM's account per se - I'll take any account I can get into. Easy enough to replace numbers, or some sort of brute force technique, to compromise a number of accounts.