Alleged Server crash at Carbon Poker leads to major security breach

The Carbon Online Poker Series was a highly anticipated, 76-event tournament series that members of the site had been looking forward to for quite some time. $2 million was guaranteed across the two week series that began on November 9th. Unfortunately, just as things were about to wrap up last weekend, the server crashed, and that’s when all hell broke loose.

Server crashes aren’t all that rare in the online poker industry. What is rare, however, is when a crash leads to a major security breach. According to sources on the TwoPlusTwo poker forums, that’s exactly what happened at Carbon Poker.

Members of the online poker site who were playing in the final, $75k GTD leg of the Carbon OPS, as well as those participating in the Sunday Majors, began posting frantically on the forum. The majority of them were first complaining that they were logged out of the site with cards and chips on the table, and were unable to log back in. But when others started revealing that they were able to login, that’s when things got scary.

Those players who successfully logged back in were not logged into their own accounts, but alleged were given access to other player’s accounts. They were returned to the tournament tables that the true account holder was playing on at the time of the crash, able to use the money in those accounts to play. Even worse, they were able to view sensitive information on those accounts. And while the players posting this information on TwoPlusTwo were not using any of this information in a duplicitous way, rather trying to inform the community of the disastrous breach of security that was taking place, it’s impossible to say how many untrustworthy members of Carbon Poker were not so responsible.

To make matters worse, Carbon Poker seemed to be downplaying the incident in its initial response. One member of the forum posted the reply he got from Carbon Poker as follows:

“During a very brief window early this morning during a server restart, certain players using the auto-login setting were returned to another player’s session. You were one of the very few players affected. This view would have been visible only momentarily while the server completed restarting. We are confident that possible interaction with the account was limited, and we are taking measures to confirm that the situation is fully contained.”

The response was one of outrage, of course, and it didn’t help that (according to some posters) Carbon Poker was also responding to players who contacted support to report money missing from their accounts by telling them that no refunds would be given. As the ire of the community swelled, Carbon Poker officials apparently came to their senses and offered compensation. Players began sharing emails and confirmation that their accounts had been reimbursed for any equity lost during the crash.

The bigger question remains though – how could such a catastrophic breach of security be possible at an online poker room that, up until this incident, carried such a strong reputation? How could a server crash – something that isn’t uncommon, especially when so many people are logged in at the same time – result in such devastation as to allow players access to random accounts? And were players who weren’t aware of the situation reimbursed, or was that reserved only for those who noticed a drop in their account’s funds and complained about it?

Neither Carbon Poker nor the Merge Gaming Network has offered any public comments on the situation to date.