Sports betting site DraftKings has promised to reimburse an undisclosed number of customers after they lost $300,000 through a suspected credential stuffing campaign.
A statement from the firm’s co-founder, Paul Liberman, late yesterday noted that some customers had experienced “irregular activity” with their accounts.
“We currently believe that the login information of these customers was compromised on other websites and then used to access their DraftKings accounts where they used the same login information,” it continued.
“We have seen no evidence to suggest that DraftKings’ systems were breached to obtain this information.”
That would seem to indicate classic credential stuffing attacks, where threat actors buy up username/password combos from underground breach sites, feed them into automated tools and try them en masse across the internet, to see where they’ve been reused by individuals.
Liberman said he would “make whole” any customer that was impacted, although the firm presumably has no liability in this case.
However, the company does appear to have been slow to respond to customer complaints, which in turn may have enabled the threat actors to make off with more customer funds from bank accounts linked to their DraftKings accounts.
It appears that, once they had hijacked these accounts, the cyber-criminals changed the passwords and enabled two-factor authentication (2FA) for a phone number in their possession, locking out the legitimate customer.
“Messaged the ‘24/7’ support team multiple times as my money was being stolen,” said one angry customer on Twitter. “Could have easily been stopped in real time as I identified the scam immediately, but no one was there on the two busiest sports betting days of the week.”
Liberman urged customers to use unique passwords on all sites they login to across the web, and not to share these credentials with any third parties. However, he omitted to mention the importance of switching on 2FA, which adds an extra layer of protection from credential stuffing attacks.