DraftKings reveals thousands of customer accounts hit by cyberattack

News
By
published

Customers had $300,000 stolen from their accounts

Data Breach
Image Credit: Shutterstock (Image credit: Shutterstock)

Sports betting company DraftKings has shared more details about the recent account breach it suffered

In late November, the company’s co-founder and president, Paul Liberman, took to Twitter to announce a security incident after a threat actor apparently used credential stuffing to try and log into people’s DraftKings accounts.

The criminals succeeded in thousands of instances and ended up pulling more than $300,000 from people’s accounts - although DraftKings has since refunded the affected customers.

No credit card info stolen

Now, in a breach notification filed with the Main Attorney General’s office, the company said a total of 67,995 people have had their accounts compromised. 

DraftKings said that the threat actor obtained the login information elsewhere, and tried it against the accounts on its platform. The attack was a success not due to DraftKings, but rather due to its users having poor security practices and using the same passwords across multiple services.

The document also details the type of information that was accessed during the incident, showing that identity theft and impersonation attacks could happen in the near future:

"In the event an account was accessed, among other things, the attacker could have viewed the account holder's name, address, phone number, email address, last four digits of payment card, profile photo, information about prior transactions, account balance, and last date of password change," the announcement claims.

> Malware defeated by Google rises from the ashes

> Prevent credential stuffing attacks through attack cost analysis

> Check out the best endpoint protection services right now

"At this time, there is currently no evidence that the attackers accessed your Social Security number, driver's license number or financial account number.

"While bad actors may have viewed the last four digits of your payment card, your full payment card number, expiration date, and your CVV are not stored in your account."

Besides refunding the money to affected customers, DraftKings also reset people’s accounts and introduced new fraud alerts. It also urged its users to use unique passwords for their online accounts, to activate multi-factor authentication (MFA) wherever possible, and to never share their login credentials with third parties. 

Via: BleepingComputer

Sead Fadilpašić

Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.