DraftKings Warns Data of 67,000 People Was Exposed In Account Hacks (bleepingcomputer.com) 20
Sports betting company DraftKings revealed last week that more than 67,000 customers had their personal information exposed following a credential attack in November. BleepingComputer reports: In credential stuffing attacks, automated tools are used to make a massive number of attempts to sign into accounts using credentials (user/password pairs) stolen from other online services. [...] In a data breach notification filed with the Main Attorney General's office, DraftKings disclosed that the data of 67,995 people was exposed in last month's incident. The company said the attackers obtained the credentials needed to log into the customers' accounts from a non-DraftKings source.
"In the event an account was accessed, among other things, the attacker could have viewed the account holder's name, address, phone number, email address, last four digits of payment card, profile photo, information about prior transactions, account balance, and last date of password change," the breach notification reads. "At this time, there is currently no evidence that the attackers accessed your Social Security number, driver's license number or financial account number. While bad actors may have viewed the last four digits of your payment card, your full payment card number, expiration date, and your CVV are not stored in your account."
After detecting the attack, DraftKings reset the affected accounts' passwords and said it implemented additional fraud alerts. It also restored the funds withdrawn as a result of the credential attack, refunding up to $300,000 identified as stolen during the incident, as DraftKings President and Cofounder Paul Liberman said in November. The common denominator for user accounts that got hijacked seems to be an initial $5 deposit followed by a password change, enabling two-factor authentication (2FA) on a different phone number and then withdrawing as much as possible from the victims' linked bank accounts. While DraftKings has not shared additional info on how the attackers stole funds, BleepingComputer has since learned that the attack was conducted by a threat actor selling stolen accounts with deposit balances on an online marketplace for $10 to $35. The sales included instructions on how the buyers could make $5 deposits and withdraw all of the money from hijacked DraftKings user accounts. "After DraftKings announced the credential stuffing attack, they locked down the breached accounts, with the threat actors warning that their campaign was no longer working," adds the report.
"The company is now advising customers never to use the same password for multiple online services, never share their credentials with third-party platforms, turn on 2FA on their accounts immediately, and remove banking details or unlink their bank accounts to block future fraudulent withdrawal requests."
"In the event an account was accessed, among other things, the attacker could have viewed the account holder's name, address, phone number, email address, last four digits of payment card, profile photo, information about prior transactions, account balance, and last date of password change," the breach notification reads. "At this time, there is currently no evidence that the attackers accessed your Social Security number, driver's license number or financial account number. While bad actors may have viewed the last four digits of your payment card, your full payment card number, expiration date, and your CVV are not stored in your account."
After detecting the attack, DraftKings reset the affected accounts' passwords and said it implemented additional fraud alerts. It also restored the funds withdrawn as a result of the credential attack, refunding up to $300,000 identified as stolen during the incident, as DraftKings President and Cofounder Paul Liberman said in November. The common denominator for user accounts that got hijacked seems to be an initial $5 deposit followed by a password change, enabling two-factor authentication (2FA) on a different phone number and then withdrawing as much as possible from the victims' linked bank accounts. While DraftKings has not shared additional info on how the attackers stole funds, BleepingComputer has since learned that the attack was conducted by a threat actor selling stolen accounts with deposit balances on an online marketplace for $10 to $35. The sales included instructions on how the buyers could make $5 deposits and withdraw all of the money from hijacked DraftKings user accounts. "After DraftKings announced the credential stuffing attack, they locked down the breached accounts, with the threat actors warning that their campaign was no longer working," adds the report.
"The company is now advising customers never to use the same password for multiple online services, never share their credentials with third-party platforms, turn on 2FA on their accounts immediately, and remove banking details or unlink their bank accounts to block future fraudulent withdrawal requests."
What is going on here? (Score:2)
This story has been up for 130 minutes now and there have been no posts at all.
Re: (Score:3, Insightful)
It's a story about a sportsball betting firm and posted at 5AM Eastern time on /. (which, as you're well aware, is a US based site with a broad userbase, but a plurality [if not a majority] of users are in the US). Sportsball and nerds often don't mix, and the ones that do mix, probably aren't awake yet.
Give it time for the code monkeys to wake up, get into "the office" (be that virtual or physical), get their coffee, then actually start reading /. and there'll be a few more posts.
Re: What is going on here? (Score:1)
Replied within minutes, but seems it got lost in the mail.
Something about how some seem to have missed the memo on password re-use and how karma is a botch.
I'm shocked DraftKings even considered reimbursement of those affected.
Re: (Score:2)
Third-party platforms? (Score:3)
> "The company is now advising customers . . . never share their credentials with third-party platforms"
What, like Google Passwords or LastPass? No way am I remembering unique and totally-not reused passwords for thousands of websites without some sort of assistance.
Re: (Score:2)
Re: (Score:2)
e.g. converting the website name to ascii numbers, multiply them, add 12, squareroot the result, add 6 - stick that on the end of a "regular" password.
It can be much more complex or simpler than the example above - ideally something you could do in your head, but something tough to reverse engineer even if someone got hold of quite a few of your passwords.
This way you don't need an external ser
Re: (Score:2)
If I use "This is my abso-friggin-lutely unguessable Password I use for every site out there382967" it kinda don't matter what the algorithm for the numbers is, I just gave a hacker all my passwords with just one million combinations each.
Re: (Score:2)
I posted my scheme in another article earlier today:
https://slashdot.org/comments.... [slashdot.org]
Brute Force attack (Score:2)
Re: (Score:3)
Because it's a different tactic entirely than brute forcing which implies no prior knowledge of credentials.
Credential stuffing is when you take harvested creds from data dumps and try them on many other sites. It's a completely different approach.
Online betting (Score:2)
Ok And? (Score:1)
Everyone on DraftKings is a fucking moron.
November, you say? (Score:3)
So, a month or less before the breach is mentioned publicly? Before you know it you'll see compromised companies act first in the public's interest, and second in covering their own arses.
Oh no! (Score:2)
I wonder (Score:2)
Storing passwords in plain text? Still? (Score:2)
Hard to believe that website and software developers still code their shit and design databases to store passwords in plain text.
That's the only way stuffing vulnerabilities like this even exist.
Seriously. Who the fuck still writes stuff that horrible?
It should be an indictable/felony offence to store a password in anything other than a super-strong 1 way hash. Bloody hell.