>
Users of the popular sports betting platform DraftKings were on the receiving end of a credential stuffing attack that cost victims around $300,000.
Paul Liberman, co-founder and president of the company, issued a statement via Twitter saying that the platform’s systems were not compromised, but rather that the incident was the result of poor cybersecurity practices by users.
“DraftKings is aware that some customers are experiencing irregular activity with their accounts. We currently believe that the credentials (opens in new tab) of these clients were compromised on other websites and then used to access their DraftKings accounts where they used the same credentials,” the statement reads. “We have seen no evidence that DraftKings’ systems were breached to obtain this information.”
Set MFB
Liberman went on to say that despite this being the end user’s fault, the company will still reimburse affected customers:
“We have identified less than $300,000 in customer assets that are affected, and we plan to nurse every affected customer back to health.”
During the attack, users found themselves locked out of their accounts, and in some cases, the attackers even set up two-factor authentication using their phone numbers.
Credential stuffing is a popular method in the cybercrime community. Out of convenience, many consumers end up using the same username/password combination for a number of different services.
The problem with this approach is that once one of those services is compromised, the users risk losing a lot more. Cybercriminals are also aware of this fact and often use automated scripts to test obtained credentials on a variety of services, from social media networks to shopping sites, betting and bank accounts.
Users are advised to create strong and unique passwords for all their online accounts and to use password managers to keep that information safe.
Through: The register (opens in new tab)