Sports betting company DraftKings has shared more details about the recent account breach it suffered.
In late November, the company’s co-founder and president, Paul Liberman, took to Twitter to announce a security incident after a threat actor appeared to have used credential stuffing to attempt to log into people’s DraftKings accounts.
The criminals were successful in thousands of cases, ending up draining more than $300,000 from people’s accounts — although DraftKings has since refunded affected customers.
No credit card information stolen
Now, in a breach notice filed with the Attorney General’s Office, the company said the accounts of a total of 67,995 people were compromised.
DraftKings said the threat actor obtained the credentials elsewhere and tried them against the accounts on its platform. The attack was a success not because of DraftKings, but because its users had poor security practices and used the same passwords across multiple services.
The document also describes the type of information accessed during the incident and shows this identity theft (opens in new tab) and impersonation attacks might happen in the near future:
“If an account was accessed, the attacker could obtain, among other things, the account holder’s name, address, phone number, email address, last four digits of the payment card, profile photo, information about previous transactions, account balance, etc last password change date,” the announcement reads.
“Currently, there is currently no evidence that the attackers accessed your social security number, driver’s license number, or financial account number.
“While bad actors may have viewed the last four digits of your payment card, your full payment card number, expiration date, and CVV are not stored in your account.”
In addition to refunding affected customers, DraftKings also reset people’s accounts and rolled out new fraud alerts. It also urged its users to use unique passwords for their online accounts, enable multi-factor authentication (MFA) wherever possible, and never share their credentials with anyone.
Above: Beeping computer (opens in new tab)
https://www.techradar.com/news/draftkings-reveals-thousands-of-customer-accounts-hit-by-cyberattack DraftKings Reveals Thousands of Customer Accounts Affected by Cyber Attacks