Sports betting company DraftKings said today that it would make whole customers affected by a credential stuffing attack that led to losses of up to $300,000.
The statement follows an early Monday morning tweet saying that DraftKings was investigating reports [1, 2, 3, 4] of customers experiencing issues with their accounts.
The common denominator for all accounts that got hijacked seems to be an initial $5 deposit followed by the attackers changing the password, enabling two-factor authentication (2FA) on a different phone number, and then withdrawing as much as possible from the victims’ linked bank accounts.
Some victims have also expressed their frustration on social media because they were unable to get in contact with anyone at DraftKings while having to watch the attackers repeatedly withdrawing money from their bank accounts.
“We currently believe that the login information of these customers was compromised on other websites and then used to access their DraftKings accounts where they used the same login information,” revealed DraftKings President and Cofounder Paul Liberman more than 12 hours later.
“We have seen no evidence that DraftKings’ systems were breached to obtain this information. We have identified less than $300,000 of customer funds that were affected, and we intend to make whole any customer that was impacted.”
The company advised customers never to use the same password for more than one online service and never to share their credentials with third-party platforms, including betting trackers and betting apps besides the ones provided by DraftKings.
DraftKings customers who haven’t yet been affected by this credential-stuffing campaign are advised to immediately turn on 2FA on their accounts and remove any banking details or, even better, unlink their bank accounts to block fraudulent withdrawal requests.
In credential stuffing, threat actors use automated tools to make repeated attempts (up to millions at a time) to gain access to user accounts using credentials (commonly in user/password pairs) stolen from other online services.
This works particularly well against the accounts whose owners have reused credentials across multiple platforms.
The goal is to take over as many accounts as possible to steal associated personal and financial info that can later be sold on the dark web or on hacking forums.
The attackers will also use the stolen info in future identity theft scams to make unauthorized purchases or—as it happened in the case of hijacked DraftKings accounts—transfer money in linked banking accounts to accounts under their control.
As the FBI warned recently, these attacks are quickly growing in volume thanks to readily available aggregated lists of leaked credentials and automated tools.
Okta also reported that the situation has drastically worsened this year as it recorded more than 10 billion credential-stuffing events on its platform during the first three months of 2022.
The number represents approximately 34% of the overall authentication traffic tracked by Okta, meaning that one-third of all sign-in attempts are malicious and fraudulent.