Credential Stuffing Attack Exposes DraftKings Customer Data

Popular sports betting platform DraftKings announced it recently experienced a data security incident in which threat actors carried out a credential stuffing attack and accessed confidential customer information.

 

In a data security incident notice filed with the Office of Massachusetts Attorney General, DraftKings said that on September 2, it identified unauthorised access to its internal network. The sports betting company immediately launched an investigation, with assistance from external cyber security experts, to determine the nature and scope of the incident. 

 

It also took steps to contain the impact of the network intrusion and notified law enforcement about the same.

 

The investigation determined that threat actors had compromised company accounts, resulting in unauthorised access to a limited portion of customer data. The attacks exhibited clear characteristics of a credential stuffing campaign.

 

Credential stuffing automates login attempts using stolen credentials from other platforms. Users who reuse passwords are prime targets. Attackers aim to take over accounts and steal data for resale or identity fraud.

 

“Our investigation to date has observed no evidence that your login credentials were obtained from DraftKings or that DraftKings’ computer systems or networks were breached as part of this incident. We also have not observed evidence that any sensitive customer information – that is, government-issued identification numbers, full financial account numbers, or other information that would enable the bad actor to commit identity theft or to access our customers’ bank accounts – was subject to unauthorised access as part of this incident,” DraftKings said.

 

The company added that by using stolen credentials from another source, the attacker may have temporarily accessed some DraftKings accounts, potentially viewing personal details such as names, contact information, birth dates, partial payment card numbers, profile photos, transaction history, account balances, and password change dates.

 

DraftKings is enforcing password resets and multi-factor authentication for affected users, while advising customers to monitor finances and credit, update passwords, and apply security freezes or fraud alerts as precautions.