Some DraftKings customers are getting refunds in the wake of the breach
A day after reports surfaced that DraftKings customers lost thousands of dollars to an apparent third-party breach over the weekend, the prominent sports betting operator on Tuesday sought to contain the fallout.
DraftKings confirmed Monday that many players had aspects of their customer accounts compromised by irregular activity on third-party sites on the Internet. The online hacks led to the unauthorized withdrawal of thousands of dollars in customer funds over a short period of time.
While DraftKings believes that hackers gained access to some customers’ login information, the company maintains that only about $300,000 of customer funds were affected. Also, DraftKings has seen no evidence that the company’s systems were breached to obtain the information, said Paul Liberman, who serves as president of global technology and product at DraftKings.
DraftKings says no evidence systems were breached after reporting a hack
— CNBC (@CNBC) 21 November 2022
As of noon Tuesday, some DraftKings customers received their stolen amounts back in full, while others reported new incidents of alleged fraudulent activity. A DraftKings spokesman on Tuesday did not officially comment on the activity pattern, but instead referred to Sports handle to a statement issued Monday by Liberman:
“DraftKings is aware that some customers are experiencing irregular activity with their accounts. We currently believe that the credentials of these customers were compromised on other websites and then used to access their DraftKings accounts where they used the same credentials, Liberman said.
News of the unauthorized activity was first reported Monday by The Action Network.
Anecdotal evidence of continued hacks
Even if DraftKings’ network was not breached, as the company claims, large cases involving cybersecurity breaches can take months to resolve. Target, one of the nation’s largest department store chains, suffered a highly publicized data breach in December 2013 that affected about 41 million payment card accounts. More than three years passed before Target reached an $18.5 million multistate settlement with customers in May 2017.
As with many issues in the sports betting ecosystem, customers tend to lose patience when the desired result is not achieved quickly. Many DraftKings customers have taken to Twitter to express concern at the busiest time of the year for the global sports calendar. The US men’s soccer team opened the 2022 FIFA World Cup on Monday with a 1-1 draw against Wales, while three games are on the NFL’s Thanksgiving Day schedule. DraftKings intends to refund all customers in full for lost funds, Liberman said.
.@DraftKings @DKSportsbook why was a fraudulent withdrawal from my account processed when I informed you several times within hours of the request that this withdrawal was not me. You have some serious questions to answer.
— NBA Polls (@LeadingNBAPolls) 20 November 2022
A customer received a notification from DraftKings at 10:11 PM CST on Sunday informing them of a withdrawal request. The customer, according to a screenshot posted on Twitter, made an apparent request that a check for $437 be sent to an apartment in a North Houston suburb. The request must be fraudulent, the customer claimed, since he said he doesn’t live near Houston.
Another customer outside Kansas City, Missouri, claimed a five-figure sum disappeared from his account during Sunday night’s AFC West game between the Kansas City Chiefs and Los Angeles Chargers. The customer told Yahoo Finance that nearly all of the funds from his $19,439.00 account had been withdrawn around 8:30 PM CST, an amount that was returned about 40 minutes later.
On Tuesday morning, messages began to circulate that refunds were trickling in to some customers. A customer who first complained on Twitter that his account had been hacked wrote that he recovered on Monday night 5000 dollars which was withdrawn. The user encouraged others to “flood DraftKings with emails” until their issues were resolved. Another customer who had taken about $3,000 from his account on Sunday said Sports handle that he received the full amount back by Tuesday before
Still, others apparently had their accounts compromised as late as Tuesday morning. A DraftKings customer said Sports handle that he received a fraud notification from his bank at approximately 8 o’clock on Tuesday. The player immediately drove to a local bank to file a fraud claim after a sum of $1,000 disappeared from his account.
“Not the way I wanted to see my Tuesday start, for sure,” he said Sports handle while speaking on condition of anonymity. “I would like to see this get as much attention as possible.”
While the primary source of the account disruptions has not been determined, there are some indications that cybercriminals may have engaged in a hacking technique known as “credential stuffing.” According to cybercrime experts, credential stuffing occurs when a person’s password is used in multiple places. From there, cybercriminals obtain the compromised credentials and then test them on a new website.
“We strongly encourage customers to use unique passwords for DraftKings and all other websites, and we strongly recommend that customers do not share their passwords with anyone, including third-party websites for the purpose of tracking game information on DraftKings and other gaming apps,” Liberman added to.
Some states have begun implementing regulations requiring customers to establish multi-factor authentication to log into a sportsbook app. In New Jersey this year, sportsbooks were required to implement a two-factor authentication (2FA) solution by June 30. Outside the Garden State, a Midwest customer at DraftKings who is an avid football player said. Sports handle on Tuesday that he had not stolen any funds because he maintains 2FA for all his accounts, along with complex passwords.
DraftKings users say accounts are hacked and large sums of money are stolen from bank accounts. Many claim that 2FA is enabled, so while it’s possible that this hack was cred stuffing + 2FA code theft or SIM swapping, it could also mean that DraftKings itself is dealing with compromises.
— Rachel Tobac (@RachelTobac) 21 November 2022
While DraftKings has not provided an update on the percentage of affected customers who have received refunds, the company may have a further update later Tuesday. At the same time, the company has not given any timetable for when it intends to refund all affected customers in full.
Beyond DraftKings, the unscrupulous activity could leave other top operators on edge. A FanDuel representative told CNBC on Monday that the company has noticed an increase in recent hacking activity, all of which has been unsuccessful. The disruptions also come at a time when, in the wake of the FTX bankruptcy, investors remain skeptical about the reliability of safeguards designed to keep customers’ funds safe.
Thousands of new sports bettors are expected to open accounts in Maryland this week ahead of Wednesday’s statewide launch of online sports betting.
Jordan Bender, an analyst with JMP Securities, wrote in a research note that several companies in the gaming and leisure space have been able to recover from experiencing a data breach. Bender points to events affecting MGM Resorts and Marriott as examples where a company’s stock price can bounce back after a cyber outage.
“Assuming this hack doesn’t turn into anything major, history has shown that previous hacks of credit cards and personal information in the gaming/leisure space have not significantly impacted long-term revenue,” notes Bender.
DraftKings stock initially plunged 10% on the news in Monday’s session, before paring some of its losses following Liberman’s statement. DraftKings closed Monday at $14.29, up from a session high of $13.37 per share.
As of Tuesday afternoon, DraftKings was trading around $14.60 per share, up more than 2.25% on the session.