DraftKings: Data of over 67K individuals was compromised in an account hack

DraftKings, a sports betting firm, revealed that 67,000 of its customers were exposed to their personal data in the November hack.

Credential stuffing is a technique that uses automated tools to attempt to log into accounts with credentials (user/password pair) taken from other online services.

This strategy works extremely well for user accounts that have the same login information on multiple platforms.

To steal financial and personal information, the attackers want to get as many accounts as they can to make it easy for them to access. This data is then sold to hackers on forums or over the dark internet. The stolen data may be used to commit identity theft and make unauthorised purchases, or to empty bank accounts that are linked to the compromised accounts.

Almost 68,000 DraftKings customers affected

DraftKings revealed that the was filed with Main Attorney General’s Office. It stated that the incident exposed the personal data of 67.995 individuals.

According to the company, the attackers gained the passwords necessary for customers’ logins from an un-DraftKings source.

The breach notification states that “In the event of an account being accessed”, the attacker could have seen the account holder’s name, address and phone number as well as their email address. They also had access to the last four digits from the card. Profile photo, details about previous transactions, balances, password changes, and the date they last changed them.

There is no evidence at this point that attackers have accessed your Social Security Number, Driver’s License Number, or Financial Account number.

Bad actors might have seen the four last digits on your payment card. However, your complete payment card number and expiration date as well as your CVV, are not saved in your account.

DraftKings re-enabled the passwords of the accounts affected by the attack and issued additional fraud alerts.

DraftKings Cofounder Paul Liberman stated that the company also returned funds taken as a result to the credential attack. The refunds could be up to $300,000.

Attack on bank accounts belonging to DraftKings users who were breached

An initial $5 deposit is the common factor in user account hijackings. Next, you will need to change your password and enable two-factor authentication (2FA), on another phone number. Then withdraw as much money as you can from victims’ bank accounts.

DraftKings did not provide any additional information about how the attackers took funds. However, BleepingComputer learned from BleepingComputer that a threat actor sold stolen accounts and deposit balances to an online marketplace for between $10 and $35.

Instructions were included in the sales about how to make $5 deposits, withdraw the entire amount from stolen DraftKings accounts and so on.

Instructions on how to empty breached DraftKings accounts (BleepingComputer)

DraftKings had announced their credential-stuffing attack. They locked down compromised accounts and warned that the campaign wasn’t working.

Warning that DraftKings locked the breached accounts (BleepingComputer)

Customers are advised not to share the same password with multiple websites, to disable 2FA immediately and to remove bank details, unlink accounts, or to prevent fraudulent withdrawals.

The that credential-stuffing attacks are rapidly growing in number due to easily accessible automated tools and aggregated lists containing leaked credentials.

Okta that it had recorded more than 10 billion credential-stuffing incidents in the first three months 2022.

Okta has tracked 34% of all authentication traffic, meaning that 1 in 3 sign-in attempts is malicious or fraudulent.