Sports betting company DraftKings has shared more details about the recent account breach it suffered.
In late November, the company’s co-founder and president, Paul Liberman, took to Twitter to announce a security incident after a threat actor apparently used credential stuffing to try and log into people’s DraftKings accounts.
The criminals succeeded in thousands of instances and ended up pulling more than $300,000 from people’s accounts – although DraftKings has since refunded the affected customers.
No credit card info stolen
Now, in a breach notification filed with the Main Attorney General’s office, the company said a total of 67,995 people have had their accounts compromised.
DraftKings said that the threat actor obtained the login information elsewhere, and tried it against the accounts on its platform. The attack was a success not due to DraftKings, but rather due to its users having poor security practices and using the same passwords across multiple services.
The document also details the type of information that was accessed during the incident, showing that identity theft (opens in new tab) and impersonation attacks could happen in the near future:
“In the event an account was accessed, among other things, the attacker could have viewed the account holder’s name, address, phone number, email address, last four digits of payment card, profile photo, information about prior transactions, account balance, and last date of password change,” the announcement claims.
“At this time, there is currently no evidence that the attackers accessed your Social Security number, driver’s license number or financial account number.
“While bad actors may have viewed the last four digits of your payment card, your full payment card number, expiration date, and your CVV are not stored in your account.”
Besides refunding the money to affected customers, DraftKings also reset people’s accounts and introduced new fraud alerts. It also urged its users to use unique passwords for their online accounts, to activate multi-factor authentication (MFA) wherever possible, and to never share their login credentials with third parties.
Via: BleepingComputer (opens in new tab)