DraftKings! Latest Victim of Credential Stuffing Attack

Sports betting site DraftKings has been hit by a credential-stuffing attack, leading to a  loss of $300,000. The company assured its customers of a payback.

A statement from DraftKings noted that some customers had experienced irregular activity with their accounts. Currently believed that the login information of these customers was compromised on other websites and then used to access their DraftKings accounts where they used the same login information. We have seen no evidence to suggest that DraftKings’ systems were breached to obtain this information.

This indicated a classic credential stuffing attack, where threat actors buy up username/password combos from underground breach sites, feed them into automated tools and try them across the internet, to see where they’ve been reused by individuals.

The company does appear to have been slow to respond to customer complaints, which in turn may have enabled the threat actors to make off with more customer funds from bank accounts linked to their DraftKings accounts.

It appears that, once they had hijacked these accounts, the cyber-criminals changed the passwords and enabled two-factor authentication for a phone number in their possession, locking out the legitimate customer.

The company urged customers to use unique passwords on all sites they log in to across the web, and not to share these credentials with any third parties. However, he omitted to mention the importance of switching to 2FA, which adds an extra layer of protection from credential-stuffing attacks.