Security News > 2022 > November > Hackers steal $300,000 in DraftKings credential stuffing attack

Sports betting company DraftKings said today that it would make whole customers affected by a credential stuffing attack that led to losses of up to $300,000.

The statement follows an early Monday morning tweet saying that DraftKings was investigating reports [1, 2, 3, 4] of customers experiencing issues with their accounts.

"We currently believe that the login information of these customers was compromised on other websites and then used to access their DraftKings accounts where they used the same login information," revealed DraftKings President and Cofounder Paul Liberman more than 12 hours later.

DraftKings customers who haven't yet been affected by this credential-stuffing campaign are advised to immediately turn on 2FA on their accounts and remove any banking details or, even better, unlink their bank accounts to block fraudulent withdrawal requests.

In credential stuffing, threat actors use automated tools to make repeated attempts to gain access to user accounts using credentials stolen from other online services.

The attackers will also use the stolen info in future identity theft scams to make unauthorized purchases or-as it happened in the case of hijacked DraftKings accounts-transfer money in linked banking accounts to accounts under their control.

News URL

https://www.bleepingcomputer.com/news/security/hackers-steal-300-000-in-draftkings-credential-stuffing-attack/