Hackers stole over $300,000 from 68,000 DraftKings customer accounts via a credential-stuffing attack

Popular sports betting site DraftKings has confirmed that about 68,000 individuals were affected in a security incident the company suffered in November.

Last month, Paul Liberman, the co-founder of DraftKings, confirmed that the company was aware that some customers were facing “irregular activity” with their accounts. The company suspected that the login credentials of those customers were compromised on another website which led the threat actors to gain unauthorised access to their DraftKings accounts.

“We currently believe that the login information of these customers was compromised on other websites and then used to access their DraftKings accounts where they used the same login information.

“We have seen no evidence to suggest that DraftKings’ systems were breached to obtain this information,” Liberman said.

DraftKings believes that an amount close to $300,000 was stolen by the hackers. The company has committed to reimbursing all affected customers in due course.

In a recent data breach notification filed with the Attorney General of Maine, the company has confirmed that the sensitive personal data of 67,995 people was compromised in the cyber attack. According to DraftKings’ investigation, the threat actors previously gained access to the credentials required to log into the customers’ accounts from a non-DraftKings source.

“In the event an account was accessed, among other things, the attacker could have viewed the account holder’s name, address, phone number, email address, last four digits of payment card, profile photo, information about prior transactions, account balance, and last date of password change,” the breach notification read.

DraftKings has also confirmed that it has no evidence to confirm that threat actors accessed its customers’ Social Security numbers, driver’s license numbers, or financial account numbers.

“While bad actors may have viewed the last four digits of your payment card, your full payment card number, expiration date, and your CVV are not stored in your account,” the company added.

The company has reset the affected accounts’ passwords and implemented additional fraud alerts. It has also refunded the funds that were withdrawn as a result of the credential attack, which amounts to a total of approximately $300,000.

Commenting on the news, Grant Wyatt, Chief Operating Officer at MIRACL, said, “Passwords are outdated and provide customers with a poor user experience – and in the gaming industry they no longer meet security requirements or comply with a number of regulations. The recent legislation introduced by New Jersey and, most recently, Pennsylvania, to mandate 2FA login for commercial enterprises, is a major step in the right direction to help operators address security issues.

“Yet, whilst using conventional multi-step multi-factor authentication - via SMS or authenticator app - helps with the issue at hand, organisations will continue to experience loss of revenue as a result of customer frustration with the many steps involved within the process. This stresses the importance for the sports betting community to embrace change and accept that single-step, passwordless MFA is the future. 

 

“Passwords are not a reliable security measure and will never be able to meet the needs of an organisation or their regulators and customers,” Wyatt added.