Security News > 2022 > November > DraftKings gamblers lose $300,000 to credential stuffing attack
A credential stuffing attack over the weekend that affected sports betting biz DraftKings resulted in as much as $300,000 being stolen from customer accounts.
The Boston-based company said that its systems were not breached but that the login information of the impacted customers was stolen elsewhere and applied to their DraftKings accounts, where the same passwords were reused.
Complaints from customers began popping up on Reddit, Twitter, and other social media sites about being locked out of their DraftKings accounts and having all their money siphoned off.
"When users have the same password for various accounts, cybercriminals will probably gain access to that account," McQuiggan told The Register.
With credential stuffing, attackers will take sign-on credentials stolen from other online accounts or bought on the dark web and use automated software to launch thousands or millions of brute-force login attempts on other accounts to steal data and money.
The Identity Theft Resource Center estimates that the average person have about 100 accounts that require passwords, a reason why the organization says that only about 15 percent of people use strong and unique passwords.