DraftKings gamblers lose $300,000 to credential stuffing attack

A credential stuffing attack over the weekend that affected sports betting biz DraftKings resulted in as much as $300,000 being stolen from customer accounts.

The Boston-based company said that its systems were not breached but that the login information of the impacted customers was stolen elsewhere and applied to their DraftKings accounts, where the same passwords were reused.

In the statement on Twitter, Paul Liberman, co-founder and president of DraftKings, wrote that the company would replace the money taken from the customers. Liberman also warned customers to use unique passwords for DraftKings and other sites that require them for authentication.

“We strongly recommend that customers do not share their passwords with anyone, including third party sites for the purposes of tracking betting information on DraftKings and other betting apps,” he wrote.

Complaints from customers began popping up on Reddit, Twitter, and other social media sites about being locked out of their DraftKings accounts and having all their money siphoned off. Some wrote about an initial $5 deposit being made followed by their passwords being changed. In addition, some said two-factor authentication (2FA) was set up for their account and directed to another phone that wasn’t theirs.

Many directed their anger at DraftKings.

“Hacked, account drained, and an automated email response” from DraftKings, one customer wrote on Reddit. “2FA was set up without a user’s permission, redirected to an unknown phone number and now we can’t log in to our account.”

Another wrote: “Fortunately for me they didn’t get the chance

Read more

Explore the site

More from the blog

Latest News