DraftKings reveals thousands of customer accounts hit by cyberattack

Customers had $300,000 stolen from their accounts

When you purchase through links on our site, we may earn an affiliate commission.Here’s how it works.

Sports betting company DraftKings has shared more details aboutthe recent account breach it suffered.

In late November, the company’s co-founder and president, Paul Liberman, took to Twitter to announce a security incident after a threat actor apparently used credential stuffing to try and log into people’s DraftKings accounts.

The criminals succeeded in thousands of instances and ended up pulling more than $300,000 from people’s accounts - although DraftKings has since refunded the affected customers.

No credit card info stolen

Now, in a breach notification filed with the Main Attorney General’s office, the company said a total of 67,995 people have had their accounts compromised.

DraftKings said that the threat actor obtained the login information elsewhere, and tried it against the accounts on its platform. The attack was a success not due to DraftKings, but rather due to its users having poor security practices and using the samepasswordsacross multiple services.

The document also details the type of information that was accessed during the incident, showing thatidentity theftand impersonation attacks could happen in the near future:

“In the event an account was accessed, among other things, the attacker could have viewed the account holder’s name, address, phone number, email address, last four digits of payment card, profile photo, information about prior transactions, account balance, and last date of password change,” the announcement claims.

Are you a pro? Subscribe to our newsletter

Sign up to the TechRadar Pro newsletter to get all the top news, opinion, features and guidance your business needs to succeed!

Malware defeated by Google rises from the ashes>Prevent credential stuffing attacks through attack cost analysis>Check out the best endpoint protection services right now

“At this time, there is currently no evidence that the attackers accessed your Social Security number, driver’s license number or financial account number.

“While bad actors may have viewed the last four digits of your payment card, your full payment card number, expiration date, and your CVV are not stored in your account.”

Besides refunding the money to affected customers, DraftKings also reset people’s accounts and introduced new fraud alerts. It also urged its users to use unique passwords for their online accounts, to activate multi-factor authentication (MFA) wherever possible, and to never share their login credentials with third parties.

Via:BleepingComputer

Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.

This new malware utilizes a rare programming language to evade traditional detection methods

A new form of macOS malware is being used by devious North Korean hackers

I’ve been covering Apple Watch deals for years – This is the one model most people should buy on Black Friday