Product reviews, deals and the latest tech news

DraftKings discloses that a cyberattack affected thousands of customer accounts

DraftKings, a sports betting operator, has revealed more information regarding the recent account breach it experienced.

Paul Liberman, co-founder and president of DraftKings, rushed to Twitter in late November to declare a security problem, claiming that a threat actor had utilised credential stuffing to attempt to access users’ accounts.

Although DraftKings has reimbursed the impacted consumers, the crooks were successful in thousands of cases, taking over $300,000 from users’ accounts.

None of the customers’ credit card information was compromised.

As of today, the corporation has reported 67,995 account compromises in a breach notice submitted to the State’s Attorney General.

DraftKings said the attacker acquired the credentials elsewhere and then attempted to use them on its site. The success of the assault was not attributable to DraftKings itself, but rather to the insecure habits of its users, who reused passwords for many accounts.

The paper also specifies the categories of data acquired during the event, indicating the potential for future incidents of identity theft and impersonation attacks:

In the event of an account breach, “the attacker may have gained access to the account holder’s name, address, phone number, email address, the last four digits of payment card, the account holder’s profile photo, information about prior transactions, the account balance, and the last date of password change,” the announcement states.

There is no indication that the attackers gained access to your sensitive information such as Social Security or driver’s licence numbers or bank account information.

Although the last four digits of your card number were visible to unauthorised parties, the complete card number, expiry date, and CVV are not kept in your account.

DraftKings refunded the money to the affected users, reset their accounts, and added additional fraud protections. Aside from that, it is recommended that users never share their login credentials with anybody and always use a unique password for each of their online accounts that supports it.