Sports betting company DraftKings revealed that a recent data breach exposed the personal information of 68,000 users. The issue, first made public in November, was the product of a credential stuffing attack rather than a system compromise at DraftKings.
Credential stuffing is the practice of accessing an account on one service using leaked credentials (usernames, passwords, and email addresses) received from a third-party source. These cyberattacks are only successful because some people use the same login information for many services.
At the same time, DraftKings said that it would return all the stolen money and that the attackers had taken around $300,000 from some hacked accounts. Informing affected customers that some of their personal information may have been exposed during the incident and underlining that the attackers used leaked credentials to access the accounts, the business began sending notification letters to them on Friday.
“Based on our investigation to date, we believe that attackers may have previously gained access to your username or email address and password from a non-DraftKings source and then used those credentials to access your DraftKings account,” as per a notification sent to affected customers.
According to DraftKings, the attack may have exposed personal information such as names, addresses, phone numbers, email addresses, profile photos, account balances, the last four digits of credit or debit cards, information about previous transactions, and the date of the most recent password change. The business emphasizes that it does not keep complete payment card numbers, card expiry dates, or CVVs. It also adds that it has no proof that Social Security numbers, license numbers, or financial account details were compromised in the incident.
The firm advised the affected clients to reset their account passwords as soon as it became aware of the situation. It is now requesting them to do so once more and monitor their account and credit reports for any indications of unusual behavior. According to information provided to the Maine Attorney General by DraftKings, 67,995 people were affected by the data breach.
“We have restored amounts that have been withdrawn from certain accounts in connection with credential stuffing attacks, as determined and identified by DraftKings,” said the company.