DraftKings Says Nearly 68K Clients Affected in November Hack

Posted on: December 20, 2022, 02:22h. 

Last updated on: December 20, 2022, 02:56h.

A November cyberattack compromised the sensitive data of almost 68K DraftKings customers, the gaming company said in a filing with the Maine Attorney General’s office.

The lobby at DraftKings headquarters. The company says 68K clients were affected by a November hack. (Image: The Business Journals)

Following the incident, DraftKings acknowledged approximately $300K was pilfered from bettors’ accounts and that it would restore those lost funds. The Boston-based gaming company also noted the attack wasn’t a breach of its internal cybersecurity systems, but rather, something known as credential stuffing. In a credential-stuffing attack, hackers leverage the fact that many customers deploy the same information — emails, passwords, and usernames — across multiple internet platforms to gain access to sensitive data.

Based on our investigation to date, we believe that attackers may have previously gained access to your username or email address and password from a non-DraftKings source and then used those credentials to access your DraftKings account,” according to a letter sent from the company to customers.

Following the data controversy, analysts noted it was simply a matter of time before the online gaming industry’s cyber defenses were tested by bad actors. That’s because of the amount of capital that flows in and out of client accounts. Industry observers believe the largest fallout from the attack will likely be on DraftKings user trends and confidence.

What Hackers Accessed in DraftKings Accounts

Aside from depleting customer accounts, it appears unlikely the credential stuffers obtained highly sensitive financial data in the nefarious effort.

DraftKings notes the cyber thieves likely gained access to clients’ names, addresses, phone numbers, and email addresses along with the last four digits of their payment cards, their account activity, and the date of their last password change. The internet casino operator added other material information wasn’t vulnerable.

“At this time, there is currently no evidence that the attackers accessed your Social Security number, driver’s license number, or financial account number,” the letter said. “While bad actors may have viewed the last four digits of your payment card, your full payment card number, expiration date, and your CVV are not stored in your account.”

DraftKings is urging affected clients to again reset their passwords and closely monitor their credit reports for anything unusual. In its letter to customers, the gaming company provides the contact information for the three major credit bureaus.

Credential Stuffing Popular Among Cyber Thieves

Credential stuffing is increasingly common among hackers, and the FBI recently warned that companies and consumers need to be diligent in safeguarding against it.

Malicious actors utilizing valid user credentials have the potential to access numerous accounts and services across multiple industries — to include media companies, retail, healthcare, restaurant groups and food delivery — to fraudulently obtain goods, services, and access other online resources such as financial accounts at the expense of legitimate account holders,” according to the law enforcement agency.

Typically, customers’ priorities with sports wagering apps are ease of use, fast withdrawal times, and the breadth of betting options. However, the DraftKings hack could make operators’ cybersecurity protocols points of emphasis for clients.