Sports activities betting big DraftKings has notified an undisclosed variety of prospects that their accounts had been hacked in a current wave of credential stuffing assaults.
DraftKings, a playing firm based mostly in Boston and based in 2012, gives sportsbook and day by day fantasy sports activities (DFS) providers and is an official associate of the NFL, NHL, PGA TOUR, WNBA, UFC, and NASCAR. DraftKings employs over 5,100 folks and reported revenues of $4.77 billion on the finish of 2024.
In data breach notification letters despatched on Thursday, October 2, DraftKings knowledgeable affected prospects that attackers had gained entry to their accounts and a “restricted quantity” of their information in assaults that bore all of the indicators of a credential stuffing marketing campaign.
Credential stuffing includes attackers utilizing automated instruments to breach consumer accounts with stolen username/password pairs from different on-line providers, a tactic that’s particularly efficient towards those that reuse credentials throughout a number of platforms. The menace actors goal to take over accounts to steal private and monetary info, which may later be bought on the darkish net or used for identification theft and different malicious functions.
Nonetheless, the corporate mentioned the attackers did not entry delicate information like “government-issued identification numbers, full monetary account numbers,” or different info that will’ve enabled them to breach prospects’ financial institution accounts or commit identification theft.
“By stealing login credentials from a non-DraftKings supply and utilizing them on this assault, nevertheless, the dangerous actor could have quickly been in a position to log into sure DraftKings prospects’ accounts,” DraftKings mentioned.
“Within the occasion your account was accessed, the attacker could have been in a position to view your title, handle, date of beginning, cellphone quantity, e mail handle, final 4 digits of a cost card, profile picture, details about prior transactions, account steadiness, and date your password was final modified.”
In response to those assaults, the corporate would require probably affected prospects to reset their DraftKings account passwords and allow multifactor authentication for logins to DK Horse accounts.
DraftKings additionally suggested prospects to alter their account passwords, assessment their financial institution accounts and credit score experiences, place security freezes on their credit score experiences, and arrange fraud alerts on their credit score recordsdata as a precaution.
A DraftKings spokesperson was not instantly obtainable for remark when contacted by BleepingComputer earlier right this moment.
DraftKings additionally revealed in November 2022 that as much as $300,000 was stolen from accounts breached in one other credential stuffing marketing campaign. One month later, the sports activities betting firm refunded tons of of hundreds of {dollars} to 67,995 prospects whose accounts had been hacked within the incident.
The FBI has warned for years that credential stuffing assaults are a massively growing menace as a result of available aggregated lists of leaked credentials and automatic instruments.
Be part of the Breach and Attack Simulation Summit and expertise the way forward for security validation. Hear from high specialists and see how AI-powered BAS is reworking breach and assault simulation.
Do not miss the occasion that may form the way forward for your security technique
