Sports betting giant DraftKings, a company providing sportsbook and daily fantasy sports services, recently notified a small number of customers that their accounts were accessed in a data breach. The company stated that the attacks had the hallmarks of a credential stuffing campaign, a tactic where hackers use stolen login information from other online services to gain unauthorized access to accounts. The company reported that the attackers were able to view a limited amount of data, including names, addresses, dates of birth, phone numbers, and the last four digits of payment cards.
In a data breach notification letter sent to customers, DraftKings explained that the attackers gained access to accounts by using login credentials that were stolen from a source other than DraftKings. This means the attackers didn’t breach DraftKings’ computer systems or networks. Instead, they took advantage of customers who reused passwords across different websites and services. The company did reassure customers that sensitive information like full financial account numbers and government-issued identification numbers were not compromised, meaning the attackers couldn’t directly access customers’ bank accounts or commit identity theft.
To mitigate the damage, DraftKings has required affected customers to reset their account passwords and enable multifactor authentication for their DK Horse accounts. The company also advised all customers to change their account passwords, monitor their bank accounts and credit reports, and consider placing security freezes on their credit reports. This precautionary advice is particularly important for anyone who may have reused their DraftKings password on other sites that have been previously compromised.
Credential stuffing has become an increasingly common threat. The FBI has warned that these types of attacks are on the rise due to the widespread availability of stolen credentials and automated tools that make it easy for hackers to try and breach multiple accounts. In fact, this isn’t the first time DraftKings has dealt with this kind of issue. In November 2022, the company revealed that hackers had stolen up to $300,000 from customer accounts in another credential stuffing campaign.
A DraftKings spokesperson confirmed that fewer than 30 customers were impacted by this specific incident and reiterated that the company’s systems were not breached. The spokesperson also stated that no customers had experienced any financial loss as a result of the incident. This information came as an update after the initial news broke, providing a clearer picture of the scale of the attack and its limited impact on DraftKings’ extensive customer base.
Reference:
