DraftKings reveals thousands of customer accounts hit by cyberattack
>
Sports betting company DraftKings has shared more details about the recent account breach.
In late November, the company’s co-founder and president, Paul Liberman, took to Twitter to announce a security incident after a threat actor apparently used credential stuffing to try to log into people’s DraftKings accounts.
The criminals succeeded in thousands of cases, eventually taking more than $300,000 from people’s accounts – though DraftKings has since refunded affected clients.
No credit card information stolen
Now, in a breach notification filed with the chief attorney general’s office, the company said a total of 67,995 people had their accounts compromised.
DraftKings said the threat actor obtained the credentials elsewhere and tested them against the accounts on its platform. The attack was a success not because of DraftKings, but rather because the users had poor security practices and used the same passwords for multiple services.
The document also details the type of information accessed during the incident, proving identity theft (opens in new tab) and impersonation attacks may occur in the near future:
“In case an account was accessed, the attacker had, among other things, the name, address, phone number, email address, last four digits of the payment card, profile picture, information about previous transactions, account balance and last date of password change,” the announcement claims.
“At this time, there is no evidence that the attackers have gained access to your social security number, driver’s license number or account number.
“Although bad actors may have seen the last four digits of your payment card, your full payment card number, expiration date and your CVV are not stored in your account.”
In addition to refunding the funds to affected customers, DraftKings also reset people’s accounts and introduced new fraud alerts. It also urged its users to use unique passwords for their online accounts, activate multi-factor authentication (MFA) where possible, and never share their credentials with third parties.
Through: Beeping computer (opens in new tab)