DraftKings recently confirmed that it suffered a data breach affecting the personal data of 67,995 customers.
In a notification filed with the Maine Attorney General’s Office, the sports betting firm revealed that cyber criminals accessed customers’ names, addresses, phone numbers, email addresses, payment card data, profile photos, transaction histories, account balances and the date of the most recent password change.
“In the event an account was accessed, among other things, the attacker could have viewed the account holder’s name, address, phone number, email address, last four digits of payment card, profile photo, information about prior transactions, account balance, and last date of password change,” the breach notification reads.
“At this time, there is currently no evidence that the attackers accessed your Social Security number, driver’s license number or financial account number.
“While bad actors may have viewed the last four digits of your payment card, your full payment card number, expiration date, and your CVV are not stored in your account.”
Credential stuffing
Following an investigation, DraftKings said that the breach is related to a credential-stuffing campaign last month.
In these types of attack, cyber criminals use automated tools to guess people’s passwords. Dedicated programs store millions of common passwords and can churn them out rapidly. Unless the account is secured by extremely secure credentials, it’s only a matter of time before their password is cracked.
DraftKings noted that cyber criminals followed a pattern after hijacking an account. The fraudsters made an initial $5 deposit, and then requested to change the account password, which would lock the original owner out.
They would also enable two-factor authentication on a different phone number and then withdraw as much as possible from the victim’s linked bank account.
Although DraftKings has not shared any specific information about how the attackers stole funds, other reports show that stolen credentials were being sold on the dark web for between $10 and $35.
The sales included instructions on how the purchasers could use the same technique to drain the compromised accounts.
Instructions on how to empty breached DraftKings accounts (Bleeping Computer)
After discovering the intrusions, DraftKings reset victims’ accounts and began implementing fraud alerts. It also restored the funds to those affected, which totalled up to $300,000.
DraftKings is now warning customers to follow best practices regarding passwords. In particular, they should avoid reusing the same credentials on multiple accounts.
Fraudsters know that this is a common practice, so once they have guessed a user’s password, they will try to use it elsewhere.
