DraftKings, the online sports betting platform, has acknowledged that some of its user accounts have been hacked. About $300,000 in funds has been stolen from the platform in a credential stuffing attack, and the company pledges to make affected customers whole.
A credential stuffing attack is when a user’s password is used in multiple locations or platforms online, and hackers then take the compromised credentials and test them on a new target.
The news of the attack first made headlines on Action Network, detailing the affected customer’s fallout over unauthorized account withdrawals. One DraftKings customer, Justin White, saw “five consecutive withdrawals of $500” from their bank account.
After trying to login into his DraftKings account three times unsuccessfully, he was locked out and requested a new password. The phone number on file was a number he didn’t recognize, and at that moment, he realized he was hacked.
The struggle White, and other affected customers like him quickly found out—was that DraftKings lacks a true customer support hotline. This led to further panic as funds were being drained.
After the Action Network report, DraftKings stock tumbled 10% on the NASDAQ.
Despite many of the accounts having two-factor authentication (2FA) enabled, the attackers were able to bypass it with credential stuffing and 2FA code stealing, as pointed out by security researcher Rachel Tobac.
A full statement on behalf of DraftKings was released:
DraftKings says that there is no evidence that their actual network or website has been breached. According to Paul Liberman, co-founder and President Global Technology and Product at DraftKings, “we intend to make whole any customer that was impacted.”
If nothing else, this hack definitely raises awareness over the cyber threat of linked financial accounts such as banking and credit cards. It also reinforces the need to have distinct user account passwords (and credentials) across websites you are registered for.
