DraftKings admitted on Monday that some of its customers were targeted in credential stuffing attacks that allowed hackers to take over their accounts and transfer funds.
Since DraftKings is a sports betting company, many users have money in their accounts. Some users even linked their bank accounts to their DraftKings accounts, which makes them even more attractive targets for criminals.
According to reports, users first started to report issues with their DraftKings accounts over the weekend. The threat actors used very direct tactics as they would access the accounts (likely with information acquired from other data breaches) before quickly extracting funds.
The common denominator for all hijacked accounts seems to be an initial $5 deposit followed by the threat actors changing the password, enabling two-factor authentication (2FA) on a different phone number, before withdrawing as much as possible from the victims’ linked bank accounts.
Additionally, the cybercriminals changed the 2FA settings by redirecting to another phone number and locking the actual owners out of their accounts.
Since many users have their bank accounts linked to DraftKings, some withdrawals were made directly from the banks.
“We currently believe that the login information of these customers was compromised on other websites and then used to access their DraftKings accounts where they used the same login information,” said DraftKings President and Cofounder Paul Liberman in a Tweet on Monday.
“We have seen no evidence that DraftKings’ systems were breached to obtain this information. We have identified less than $300,000 of customer funds that were affected, and we intend to make whole any customer that was impacted,” Liberman added.
The company says that criminals likely used credentials from other data breaches and advised DraftKings users to change their credentials immediately and replace them with entirely unique ones for their app. Also, they said users unlink the DraftKings and banking accounts and advised that they should set up 2FA if users haven’t already.