DraftKings users lose $300,000 to credential attack • The Register
A login attack over the weekend that affected sports betting at DraftKings resulted in as much as $300,000 being stolen from customer accounts.
The Boston-based company said its systems were not breached, but that the login information of the affected customers was stolen elsewhere and used in their DraftKings accounts, where the same passwords were reused.
IN statement on Twitter Paul Liberman, co-founder and president of DraftKings, wrote that the company would replace the money taken from customers. Liberman also warned customers to use unique passwords for DraftKings and other sites that require them for authentication.
“We strongly recommend that customers do not share their passwords with anyone, including third-party sites for the purpose of tracking game information on DraftKings and other game apps,” he wrote.
Complaints from customers began to surface on Reddit, Twitter and other social media sites about being banned from their DraftKings accounts and having all of their money removed. Someone wrote about an initial deposit of $5 followed by their passwords being changed. Additionally, some said two-factor authentication (2FA) was set up for their account and directed to another phone that wasn’t theirs.
Many directed their anger at DraftKings.
“Hacked, account tapped and an automated email response” from DraftKings, one customer wrote on Reddit. “2FA was set up without a user’s permission, redirected to an unknown phone number and now we can’t log into our account.”
Another wrote: “Luckily for me they didn’t get a chance to cash out. Tried depositing $5 and it failed so they couldn’t cash out via card. All support has done is ‘restrict my account’ so they can “investigate “We’ll see what happens.”
It’s just the latest cautionary tale about the dangers of using the same login credentials for multiple online accounts and is helping to fuel calls from some tech vendors like Microsoft, Google and Apple for the industry to move away from passwords as an authentication tool and toward alternatives such as facial recognition. or fingerprint scanning.
Other tools like 2FA or multi-factor authentication (MFA) are also important — but not foolproof — ways to protect online accounts, according to James McQuiggan, security awareness attorney at KnowBe4.
“When users have the same password for different accounts, cybercriminals are likely to gain access to that account,” McQuiggan said The register. “Victims will feel like it could never happen to them, but once a cybercriminal can gain access to your account, they can change your password and lock you out, as seen with this incident with DraftKings.”
With credential stuffing, attackers will take login information stolen from other online accounts or purchased on the dark web and use automated software to launch thousands or millions of brute-force login attempts on other accounts to steal data and money. This is where the danger of reusing usernames and passwords for multiple accounts comes in.
One problem is that people these days can have countless accounts that need login information. The Identity Theft Resource Center estimates that the average person has about 100 accounts that require passwords, one reason why the organization says only about 15 percent of people use strong and unique passwords.
Akamai said it had detected more than 100 billion credential stuffing attacks from July 2018 to June 2020.
The FBI issued an advisory in August about the threat of credential stuffing, noting that there are many publicly available websites that offer stolen credentials for sale. The agency pointed to two websites that contained more than 300,000 unique sets of stolen credentials, had more than 175,000 registered customers and had generated more than $400,000 in sales.
A site like DraftKings is an attractive target. The company is pulling in a lot of cash, reporting revenue of $502 million in the third quarter — a 136 percent year-over-year increase — with $493 million in the company’s B2C segment.
DraftKings also saw its number of monthly unique paying customers grow 22 percent to 1.6 million, with average revenue per customer hitting $100, a 114 percent increase. ®