DraftKings gamblers lose $300,000 to credential stuffing attack
Users of the sports betting site rolled the dice on reusing passwords and lost
A credential stuffing attack over the weekend that affected sports betting biz DraftKings resulted in as much as $300,000 being stolen from customer accounts.
The Boston-based company said that its systems were not breached but that the login information of the impacted customers was stolen elsewhere and applied to their DraftKings accounts, where the same passwords were reused.
In the statement on Twitter, Paul Liberman, co-founder and president of DraftKings, wrote that the company would replace the money taken from the customers. Liberman also warned customers to use unique passwords for DraftKings and other sites that require them for authentication.
"We strongly recommend that customers do not share their passwords with anyone, including third party sites for the purposes of tracking betting information on DraftKings and other betting apps," he wrote.
Complaints from customers began popping up on Reddit, Twitter, and other social media sites about being locked out of their DraftKings accounts and having all their money siphoned off. Some wrote about an initial $5 deposit being made followed by their passwords being changed. In addition, some said two-factor authentication (2FA) was set up for their account and directed to another phone that wasn't theirs.
Many directed their anger at DraftKings.
"Hacked, account drained, and an automated email response" from DraftKings, one customer wrote on Reddit. "2FA was set up without a user's permission, redirected to an unknown phone number and now we can't log in to our account."
Another wrote: "Fortunately for me they didn't get the chance to withdraw. Tried to deposit $5 and it failed, so they couldn't withdraw through the card. All support has done is 'restrict my account' so they can 'investigate' we'll see what happens."
This is only the latest cautionary tale about the dangers of using the same login data for multiple online accounts and helps to fuel the demand by some tech vendors like Microsoft, Google, and Apple for the industry to move away from passwords as an authentication tool and toward alternatives, such face or fingerprint scanning.
Other tools like 2FA or multi-factor authentication (MFA) also are crucial – though not foolproof – ways of protecting online accounts, according to James McQuiggan, security awareness advocate at KnowBe4.
"When users have the same password for various accounts, cybercriminals will probably gain access to that account," McQuiggan told The Register. "Victims will feel it could never happen to them, but when a cybercriminal can access your account, they can change the password and lock you out, as seen with this incident with DraftKings."
- US election workers slammed with phishing, malware-stuffed emails
- Iranian cyberspies exploited Log4j to break into a US govt network
- Education tech giant gets an F for security after sensitive info on 40 million users stolen
- Store credit card numbers in a debug log, lose millions of accounts. Cost? $1.9m
With credential stuffing, attackers will take sign-on credentials stolen from other online accounts or bought on the dark web and use automated software to launch thousands or millions of brute-force login attempts on other accounts to steal data and money. This is where the danger of reusing usernames and passwords for multiple accounts comes into play.
A problem is that people these days can have myriad accounts that need login credentials. The Identity Theft Resource Center estimates that the average person have about 100 accounts that require passwords, a reason why the organization says that only about 15 percent of people use strong and unique passwords.
Akamai said it had detected more than 100 billion credential-stuffing attacks from July 2018 to June 2020.
The FBI in August issued an advisory about the threat of credential stuffing, noting that there are numerous publicly accessible websites that offer stolen credential for sale. The agency pointed to two sites that contained more than 300,000 unique sets of stolen credentials, had more than 175,000 registered customers, and had made more than $400,000 in sales.
A site like DraftKings is an attractive target. The company pulls in a lot of money, reporting third-quarter revenue of $502 million – a 136 percent year-over-year increase – with $493 million being made in the company's B2C segment.
DraftKings also saw the number of monthly unique paying customers grow 22 percent to 1.6 million, with the average revenue per customer reaching $100, a 114 percent increase. ®