Users of popular sports betting platform DraftKings were on the receiving end of a credential stuffing attack that cost its victims nearly $300,000.
Paul Lieberman, the company’s co-founder and president, said in a statement via Twitter that the platform’s systems were not hacked, rather the incident was the result of users’ poor cybersecurity practices.
DraftKings is aware that some customers are experiencing irregular activity with their accounts. We currently believe that Login information (Opens in a new tab) of those customers were hacked onto other websites and then used to access their DraftKings accounts where they used the same login information,” the statement reads. “We saw no evidence of a breach of DraftKings systems to obtain this information.”
Create an MFA
Lieberman went on to say that even though this is the end users’ fault, the company will continue to compensate affected customers:
“We have identified less than $300,000 in client funds that were impacted, and we intend to make sure any client is fully impacted.”
During the attack, users found themselves locked out of their accounts, and in some cases, the attackers even set up two-factor authentication using their phone numbers.
Credential stuffing is a common method in the cybercriminal community. Out of sheer convenience, many consumers end up using the same username/password combination for a number of different services.
The problem with this approach is that once one of these services is compromised, users risk losing more. Cybercriminals are also aware of this fact and often use automated scripts to test login credentials obtained on a myriad of services, from social networks, to retail websites, to betting and bank accounts.
Users are advised to create and use strong, unique passwords for all their online accounts Password manager To keep that information secure.
Across: log (Opens in a new tab)
