Follow Slashdot blog updates by subscribing to our blog RSS feed

 



Forgot your password?
typodupeerror
×
Security Privacy

DraftKings Warns Data of 67,000 People Was Exposed In Account Hacks (bleepingcomputer.com) 20

Sports betting company DraftKings revealed last week that more than 67,000 customers had their personal information exposed following a credential attack in November. BleepingComputer reports: In credential stuffing attacks, automated tools are used to make a massive number of attempts to sign into accounts using credentials (user/password pairs) stolen from other online services. [...] In a data breach notification filed with the Main Attorney General's office, DraftKings disclosed that the data of 67,995 people was exposed in last month's incident. The company said the attackers obtained the credentials needed to log into the customers' accounts from a non-DraftKings source.

"In the event an account was accessed, among other things, the attacker could have viewed the account holder's name, address, phone number, email address, last four digits of payment card, profile photo, information about prior transactions, account balance, and last date of password change," the breach notification reads. "At this time, there is currently no evidence that the attackers accessed your Social Security number, driver's license number or financial account number. While bad actors may have viewed the last four digits of your payment card, your full payment card number, expiration date, and your CVV are not stored in your account."

After detecting the attack, DraftKings reset the affected accounts' passwords and said it implemented additional fraud alerts. It also restored the funds withdrawn as a result of the credential attack, refunding up to $300,000 identified as stolen during the incident, as DraftKings President and Cofounder Paul Liberman said in November. The common denominator for user accounts that got hijacked seems to be an initial $5 deposit followed by a password change, enabling two-factor authentication (2FA) on a different phone number and then withdrawing as much as possible from the victims' linked bank accounts. While DraftKings has not shared additional info on how the attackers stole funds, BleepingComputer has since learned that the attack was conducted by a threat actor selling stolen accounts with deposit balances on an online marketplace for $10 to $35. The sales included instructions on how the buyers could make $5 deposits and withdraw all of the money from hijacked DraftKings user accounts.
"After DraftKings announced the credential stuffing attack, they locked down the breached accounts, with the threat actors warning that their campaign was no longer working," adds the report.

"The company is now advising customers never to use the same password for multiple online services, never share their credentials with third-party platforms, turn on 2FA on their accounts immediately, and remove banking details or unlink their bank accounts to block future fraudulent withdrawal requests."
This discussion has been archived. No new comments can be posted.

DraftKings Warns Data of 67,000 People Was Exposed In Account Hacks

Comments Filter:
  • This story has been up for 130 minutes now and there have been no posts at all.

    • Re: (Score:3, Insightful)

      by Anonymous Coward

      It's a story about a sportsball betting firm and posted at 5AM Eastern time on /. (which, as you're well aware, is a US based site with a broad userbase, but a plurality [if not a majority] of users are in the US). Sportsball and nerds often don't mix, and the ones that do mix, probably aren't awake yet.

      Give it time for the code monkeys to wake up, get into "the office" (be that virtual or physical), get their coffee, then actually start reading /. and there'll be a few more posts.

    • Replied within minutes, but seems it got lost in the mail.

      Something about how some seem to have missed the memo on password re-use and how karma is a botch.

      I'm shocked DraftKings even considered reimbursement of those affected.

    • Slashdot 2022 is not Slashdot 2012. It was near impossible to get a first post back then, but now I accidently get them. Time changes sites traffic ebs and flows. ./ got killed by its codebase and its editorial lack of passion for it. Hurts to say that. I know taco cared, but things happen. It got too much attention and not enough profit combine that with a creaky perl codebase and a free speech or die policy = no revenue growth, slow death.
  • by blockhouse ( 42351 ) on Tuesday December 20, 2022 @07:20AM (#63144768)

    > "The company is now advising customers . . . never share their credentials with third-party platforms"

    What, like Google Passwords or LastPass? No way am I remembering unique and totally-not reused passwords for thousands of websites without some sort of assistance.

    • Index cards. Modern generations won't know what to do with them.
    • by Chozabu ( 974192 )
      Come up with an algorithm for your passwords. some kind of hash-like function to be combined with a password
      e.g. converting the website name to ascii numbers, multiply them, add 12, squareroot the result, add 6 - stick that on the end of a "regular" password.

      It can be much more complex or simpler than the example above - ideally something you could do in your head, but something tough to reverse engineer even if someone got hold of quite a few of your passwords.
      This way you don't need an external ser
      • by Kokuyo ( 549451 )

        If I use "This is my abso-friggin-lutely unguessable Password I use for every site out there382967" it kinda don't matter what the algorithm for the numbers is, I just gave a hacker all my passwords with just one million combinations each.

  • Why after all this time is brute force a thing? And why make a new name for it.
    • Because it's a different tactic entirely than brute forcing which implies no prior knowledge of credentials.

      Credential stuffing is when you take harvested creds from data dumps and try them on many other sites. It's a completely different approach.

  • Customers didn't expect to be gambling their personal data away.
  • Everyone on DraftKings is a fucking moron.

  • by rmdingler ( 1955220 ) on Tuesday December 20, 2022 @08:45AM (#63144880) Journal

    So, a month or less before the breach is mentioned publicly? Before you know it you'll see compromised companies act first in the public's interest, and second in covering their own arses.

  • Anyway...
  • Is Draftkings taking bets on this?
  • Hard to believe that website and software developers still code their shit and design databases to store passwords in plain text.
    That's the only way stuffing vulnerabilities like this even exist.
    Seriously. Who the fuck still writes stuff that horrible?

    It should be an indictable/felony offence to store a password in anything other than a super-strong 1 way hash. Bloody hell.

"Show me a good loser, and I'll show you a loser." -- Vince Lombardi, football coach

Working...