DraftKings Says Nearly 68K Clients Affected in November Hack

A November cyberattack compromised the sensitive data of almost 68K DraftKings customers, the gaming company said in a filing with the Maine Attorney General’s office.

DraftKings
The lobby at DraftKings headquarters. The company says 68K clients were affected by a November hack. (Image: The Business Journals)

Following the incident, DraftKings acknowledged approximately $300K was pilfered from bettors’ accounts and that it would restore those lost funds. The Boston-based gaming company also noted the attack wasn’t a breach of its internal cybersecurity systems, but rather, something known as credential stuffing. In a credential-stuffing attack, hackers leverage the fact that many customers deploy the same information — emails, passwords, and usernames — across multiple internet platforms to gain access to sensitive data.

Based on our investigation to date, we believe that attackers may have previously gained access to your username or email address and password from a non-DraftKings source and then used those credentials to access your DraftKings account,” according to a letter sent from the company to customers.

Following the data controversy, analysts noted it was simply a matter of time before the online gaming industry’s cyber defenses were tested by bad actors. That’s because of the amount of capital that flows in and out of client accounts. Industry observers believe the largest fallout from the attack will likely be on DraftKings user trends and confidence.

What Hackers Accessed in DraftKings Accounts

Aside from depleting customer accounts, it appears unlikely the credential stuffers obtained highly sensitive financial data in the nefarious effort.

DraftKings notes the cyber thieves likely gained access to clients’ names, addresses, phone numbers, and email addresses along with the last four digits of their payment cards, their account activity, and the date of their last password change. The internet casino operator added other material information wasn’t vulnerable.

“At this time, there is currently no evidence that the attackers accessed your Social Security number, driver’s license number, or financial account number,” the letter said. “While bad actors may have viewed the last four digits of your payment card, your full payment card number, expiration date, and your CVV are not stored in your account.”

DraftKings is urging affected clients to again reset their passwords and closely monitor their credit reports for anything unusual. In its letter to customers, the gaming company provides the contact information for the three major credit bureaus.

Credential Stuffing Popular Among Cyber Thieves

Credential stuffing is increasingly common among hackers, and the FBI recently warned that companies and consumers need to be diligent in safeguarding against it.

Malicious actors utilizing valid user credentials have the potential to access numerous accounts and services across multiple industries — to include media companies, retail, healthcare, restaurant groups and food delivery — to fraudulently obtain goods, services, and access other online resources such as financial accounts at the expense of legitimate account holders,” according to the law enforcement agency.

Typically, customers’ priorities with sports wagering apps are ease of use, fast withdrawal times, and the breadth of betting options. However, the DraftKings hack could make operators’ cybersecurity protocols points of emphasis for clients.

Todd Shriber
Todd Shriber Financial Reporter

Todd Shriber is a senior news reporter covering gaming financials, casino business, stocks, and mergers and acquisitions for Casino.org.

Todd got his start in financial markets as a reporter with Bloomberg News. Later, he became a trader at a Southern California-based long/short hedge fund, where he specialized in the trading sector and international ETFs leading up to and during the financial crisis. He joined Casino.org in 2019.

Currently, Todd analyzes, researches, and writes on ETFs for various web-based publications and financial services firms. Shriber has been featured and quoted in Barron's, CNBC.com, and The Wall Street Journal. His work can also be found on Benzinga, ETF Daily News, ETF Trends, MarketWatch, Fox Business, and Nasdaq.com.

He currently resides in Las Vegas, where he enjoys golf and taking his black lab to the dog park. He's also an avid sports fan and likes to wager on college football and the NBA. You can also find him at the three-card poker and roulette table, even though he knows better.

Contact Todd at todd.shriber@casino.org.

Comments icon

Conversation (0)

+ Add a comment

Be the first to comment on this article.

Write a comment

Your email address will not be published.