DraftKings reveals thousands of customer accounts hit by cyberattack
Date:
Tue, 20 Dec 2022 16:47:47 +0000
Description:
DraftKings users saw $300,000 stolen from their accounts, but the money has since been refunded.
FULL STORY ======================================================================
Sports betting company DraftKings has shared more details about the recent account breach it suffered .
In late November, the companys co-founder and president, Paul Liberman, took to Twitter to announce a security incident after a threat actor apparently used credential stuffing to try and log into peoples DraftKings accounts.
The criminals succeeded in thousands of instances and ended up pulling more than $300,000 from peoples accounts - although DraftKings has since refunded the affected customers. No credit card info stolen
Now, in a breach notification filed with the Main Attorney Generals office, the company said a total of 67,995 people have had their accounts
compromised.
DraftKings said that the threat actor obtained the login information elsewhere, and tried it against the accounts on its platform. The attack was
a success not due to DraftKings, but rather due to its users having poor security practices and using the same passwords across multiple services.
The document also details the type of information that was accessed during
the incident, showing that identity theft and impersonation attacks could happen in the near future:
"In the event an account was accessed, among other things, the attacker could have viewed the account holder's name, address, phone number, email address, last four digits of payment card, profile photo, information about prior transactions, account balance, and last date of password change," the announcement claims.
Malware defeated by Google rises from the ashes
Prevent credential stuffing attacks through attack cost analysis
Check out the best endpoint protection services right now
"At this time, there is currently no evidence that the attackers accessed
your Social Security number, driver's license number or financial account number.
"While bad actors may have viewed the last four digits of your payment card, your full payment card number, expiration date, and your CVV are not stored
in your account."
Besides refunding the money to affected customers, DraftKings also reset peoples accounts and introduced new fraud alerts. It also urged its users to use unique passwords for their online accounts, to activate multi-factor authentication (MFA) wherever possible, and to never share their login credentials with third parties. Here are the best firewalls around
Via: BleepingComputer
======================================================================
Link to news story:
https://www.techradar.com/news/draftkings-reveals-thousands-of-customer-accoun ts-hit-by-cyberattack
--- Mystic BBS v1.12 A47 (Linux/64)
* Origin: tqwNet Technology News (1337:1/100)