Sports betting company DraftKings said its customers suffered credential stuffing attacks, but denies a hack of its own systems.
The total loss of users is estimated at $300,000. At the same time, DraftKings emphasizes that its own resources and systems have not been affected.Let me remind you that we also wrote that General Motors Users Hit by Credential Stuffing Attack.
Let me remind you that the term credential stuffing usually refers to situations where usernames and passwords are stolen from some sites (as, for example, in this case), and then used on others. That is, attackers have a ready-made credential database (acquired on the dark web, collected on their own, and so on) and try to use this data to log in to any sites and services under the guise of their victims.
At the beginning of this week, DraftKings representatives reported that they were investigating reports from clients (1, 2, 3, 4) who had experienced account hacks.
Apparently, all hacked accounts have one thing in common, as necessity to make an initial deposit of $5, after which the attackers change the password, enable two-factor authentication for another phone number, and withdrew as much money as possible from the bank account linked to the site
Some victims also complained that they were unable to contact any of the DraftKings employees and had to watch the attackers empty their bank accounts in several steps
The company advised customers not to use the same passwords for different sites and services, and never share their credentials with third-party platforms, including trackers and betting apps (other than those provided by DraftKings).
Users not affected by these attacks are advised to immediately enable 2FA for their accounts and remove all bank details (or unlink bank accounts from accounts to block fraudulent withdrawal requests).
As The Record notes, at the same time, messages from hundreds of victims can be found on social networks, and they claim that they used unique passwords and did not share them with anyone.