$300,000 Are Stolen from DraftKings Customers, but Company Denies a Hack

DraftKings denies hacking
Written by Emma Davis

Sports betting company DraftKings said its customers suffered credential stuffing attacks, but denies a hack of its own systems.

The total loss of users is estimated at $300,000. At the same time, DraftKings emphasizes that its own resources and systems have not been affected.

Let me remind you that we also wrote that General Motors Users Hit by Credential Stuffing Attack.

Let me remind you that the term credential stuffing usually refers to situations where usernames and passwords are stolen from some sites (as, for example, in this case), and then used on others. That is, attackers have a ready-made credential database (acquired on the dark web, collected on their own, and so on) and try to use this data to log in to any sites and services under the guise of their victims.

At the beginning of this week, DraftKings representatives reported that they were investigating reports from clients (1, 2, 3, 4) who had experienced account hacks.

Apparently, all hacked accounts have one thing in common, as necessity to make an initial deposit of $5, after which the attackers change the password, enable two-factor authentication for another phone number, and withdrew as much money as possible from the bank account linked to the site

Some victims also complained that they were unable to contact any of the DraftKings employees and had to watch the attackers empty their bank accounts in several steps

Paul Lieberman

Paul Lieberman

We currently believe that these clients’ credentials were compromised on other sites and then used to access their DraftKings accounts where they used the same login details. We found no evidence that DraftKings systems were hacked to obtain this information. We have determined that the funds of affected customers are less than $300,000 and we intend to make amends for all those affected.DraftKings President and Co-Founder Paul Lieberman says.

The company advised customers not to use the same passwords for different sites and services, and never share their credentials with third-party platforms, including trackers and betting apps (other than those provided by DraftKings).

Users not affected by these attacks are advised to immediately enable 2FA for their accounts and remove all bank details (or unlink bank accounts from accounts to block fraudulent withdrawal requests).

As The Record notes, at the same time, messages from hundreds of victims can be found on social networks, and they claim that they used unique passwords and did not share them with anyone.

User Review
0 (0 votes)
Comments Rating 0 (0 reviews)

About the author

Emma Davis

I'm writer and content manager (a short time ago completed a bachelor degree in Marketing from the Gustavus Adolphus College). For now, I have a deep drive to study cyber security.

Leave a Reply