Users of popular sports betting platform DraftKings were on the receiving end of a credential-stuffing attack that cost its victims approximately $300,000.
Issuing a statement via Twitter, the company’s co-founder and president, Paul Liberman said the platform’s systems were not compromised, but rather that the incident was the result of users’ poor cybersecurity practices.
“DraftKings is aware that some customers are experiencing irregular activity with their accounts. We currently believe that the login information (opens in new tab) of these customers was compromised on other websites and then used to access their DraftKings accounts where they used the same login information,” the statement reads. “We have seen no evidence that DraftKings’ systems were breached to obtain this information.”
Setting up MFA
Liberman further went on to say that despite this being the end users’ mistake, the company will still reimburse the affected customers:
“We have identified less than $300,000 of customer funds that were affected, and we intend to make whole any customer that was impacted.”
During the attack, users found themselves being locked out of their accounts, and in some cases, the attackers were even setting up two-factor authentication using their phone numbers.
Credential stuffing is a popular method in the cybercriminal community. Out of sheer convenience, many consumers end up using the same username/password combination for a number of different services.
The problem with this approach is that once one of those services is compromised, the users risk losing a lot more. Cybercriminals are also aware of this fact and often use automated scripts to test out the obtained login credentials on a myriad of services, from social media networks, to retail sites, to betting and banking accounts.
Users are advised to create strong and unique passwords for all their online accounts, and to use password managers to keep that information secure.
Via: The Register (opens in new tab)