Posted on: December 20, 2022, 02:22h.
Last updated on: December 20, 2022, 02:22h.
A November cyberattack compromised sensitive data of almost 68,000 DraftKings customers the gaming company said in a filing with the Maine Attorney General’s office.
Following the incident, DraftKings acknowledged approximately $300,000 was pilfered from bettors’ accounts and that it would restore those lost funds. The Boston-based gaming company also noted the attack wasn’t a breach of its internal cybersecurity systems, but rather something known as credential stuffing. In a credential stuffing attack, hackers leverage the fact that many customers deploy the same information — emails, passwords and usernames — across multiple internet platforms to gain access to sensitive data.
Based on our investigation to date, we believe that attackers may have previously gained access to your username or email address and password from a non-DraftKings source and then used those credentials to access your DraftKings account,” according to a letter sent from the company to customers.
Following the data controversy, analysts noted it was simply a matter of time before the online gamng industry’s cyber defenses were tested by bad actors because of the amount of capital that flows in and out of client accounts. Industry observers believe the largest fallout from the attack will likely be on DraftKings user trends and confidence.
What the Hackers Accessed in DraftKings Accounts
Aside from depleting customer accounts, it appears unlikely the credential stuffers obtained highly sensitive financial data in the nefarious effort.
DraftKings notes the cyber thieves likely gained access to clients’ name, address, phone number, email address, last four digits of payment card, account activity and date of last password change. The internet casino operator added other material information wasn’t vulnerable.
“At this time, there is currently no evidence that the attackers accessed your Social Security number, driver’s license number or financial account number,” according to the letter. “While bad actors may have viewed the last four digits of your payment card, your full payment card number, expiration date, and your CVV are not stored in your account.”
DraftKings is urging affected clients to again reset their passwords and closely monitor their credit reports for anything unusual. In its letter to customers, the gaming company provides the contact information for the three major credit bureaus.
Credential Stuffing Big Thing Among Cyber Thieves
Credential stuffing is increasingly common among hackers and the FBI recently warned that companies and consumers need to be diligent in safeguarding against it.
“Malicious actors utilizing valid user credentials have the potential to access numerous accounts and services across multiple industries — to include media companies, retail, healthcare, restaurant groups and food delivery — to fraudulently obtain goods, services, and access other online resources such as financial accounts at the expense of legitimate account holders,” according to the law enforcement agency.
Typically, customers’ priorities with sports wagering apps are ease of use, fast withdrawal times, and the breadth of betting options. However, the DraftKings hack could make operators’ cybersecurity protocols points of emphasis for clients.