Sports betting web-site DraftKings has promised to reimburse an undisclosed amount of prospects just after they lost $300,000 by way of a suspected credential stuffing marketing campaign.
A assertion from the firm’s co-founder, Paul Liberman, late yesterday observed that some prospects experienced professional “irregular activity” with their accounts.
“We at this time feel that the login info of these buyers was compromised on other internet websites and then made use of to entry their DraftKings accounts exactly where they utilised the very same login information and facts,” it continued.
“We have found no evidence to propose that DraftKings’ devices ended up breached to acquire this details.”
That would appear to indicate classic credential stuffing attacks, where threat actors get up username/password combos from underground breach web sites, feed them into automatic resources and test them en masse throughout the internet, to see the place they’ve been reused by people today.
Liberman claimed he would “make whole” any purchaser that was impacted, despite the fact that the business presumably has no legal responsibility in this case.
Having said that, the enterprise does appear to have been sluggish to react to purchaser issues, which in transform may possibly have enabled the threat actors to make off with more client funds from bank accounts joined to their DraftKings accounts.
It appears that, once they experienced hijacked these accounts, the cyber-criminals changed the passwords and enabled two-factor authentication (2FA) for a phone amount in their possession, locking out the authentic consumer.
“Messaged the ‘24/7’ assistance workforce various periods as my income was staying stolen,” said 1 indignant shopper on Twitter. “Could have simply been stopped in actual time as I identified the scam straight away, but no one particular was there on the two busiest sporting activities betting days of the week.”
Liberman urged prospects to use special passwords on all websites they login to throughout the web, and not to share these credentials with any third events. Having said that, he omitted to mention the value of switching on 2FA, which provides an added layer of security from credential stuffing attacks.
Some sections of this post are sourced from: