{"id":24622,"date":"2022-12-20T01:57:37","date_gmt":"2022-12-20T01:57:37","guid":{"rendered":"https:\/\/mailinvest.blog\/index.php\/2022\/12\/20\/personal-information-of-68000-draftkings-users-exposed-in-credential-stuffing-attack\/"},"modified":"2022-12-20T01:57:37","modified_gmt":"2022-12-20T01:57:37","slug":"personal-information-of-68000-draftkings-users-exposed-in-credential-stuffing-attack","status":"publish","type":"post","link":"https:\/\/mailinvest.blog\/index.php\/2022\/12\/20\/personal-information-of-68000-draftkings-users-exposed-in-credential-stuffing-attack\/","title":{"rendered":"Personal information of 68,000 DraftKings users exposed in credential-stuffing attack"},"content":{"rendered":"

<\/a>\n
<\/p>\n

\n

Nasdaq-listed sports betting company DraftKings Inc. has revealed that nearly 68,000 customers had their personal information exposed in a credential-stuffing attack in November.<\/p>\n

A credential-stuffing attack is a type of cyberattack where an attacker uses stolen account credentials from other hacks to gain access to a third-party system. The attack method relies on the unfortunate fact that many users use the same password for multiple sites.<\/p>\n

The attack on DraftKings did gain headlines when it occurred, with the company saying at the time<\/a> that there was no evidence that its systems were breached after reports suggested it had been hacked. The company also said it had identified less than $300,000 of customer funds that had been affected by \u201cunusual activity\u201d and would compensate customers affected.<\/p>\n

Exactly how many customers were affected has now been revealed in a Dec. 16\u00a0data breach notification<\/a> filed by DraftKings with the Maine Attorney General\u2019s Office that was first spotted<\/a> by Bleeping Computer.\u00a0In the letter, DraftKings says it detected the credential-stuffing attack on Nov. 18, launched an investigation and took several steps, including requiring affected customers to reset their DraftKings passwords and implement additional fraud alerts.<\/p>\n

The investigation found that though there was no evidence that login credentials were obtained from DraftKings, the bad actors were able to log into certain accounts. In the event an account was accessed, the attacker could have viewed the account holder\u2019s name, address, phone number, email address, profile photo, information about prior transactions and the last four digits of payment cards. No evidence was found that the attackers accessed Social Security, driver\u2019s licenses or financial account numbers.<\/p>\n

Affected users are recommended to change account passwords if they have not done so already, not only on DraftKings but on other sites as well. Users are also advised to review accounts and credit reports and consider placing a security freeze on their credit reports.<\/p>\n

Given that credential-stuffing was used, DraftKings is not offering free credit monitoring to users. Though unfortunate, the case highlights the risk of reusing passwords across multiple sites.\u00a0However, there are ways companies can reduce the risk of credential-stuffing attacks.<\/p>\n

\u201cAs one of the major players in the sports betting industry and a host to the personally identifiable information of around 1.6 million monthly unique paying customers, it is, unfortunately, no surprise that hackers have leveraged DraftKings\u2019 wealth of sensitive information to generate identity theft and financial scams,\u201d Ryan Sherstobitoff, senior vice president of Threat Research and Intelligence at security rating company SecurityScorecard Inc.<\/a>, told SiliconANGLE. \u201cIn SecurityScorecard\u2019s cybersecurity rating system, DraftKings is rated a C, with lower grades having a higher likelihood of a breach.\u201d<\/p>\n

Sherstobitoff emphasized that organizations, especially those that handle large amounts of sensitive information, must have up-to-date cybersecurity procedures that everyone follows.<\/p>\n

\u201cAdditionally, it is crucial for companies to evaluate their cybersecurity strategy, have a complete picture of their attack surface, seek ways to gain visibility into vulnerabilities and continuously monitor third-party cybersecurity posture in order to reduce the likelihood of attacks,\u201d\u00a0Sherstobitoff said.<\/p>\n

Image: DraftKings<\/h5>\n
\n
\n

Show your support for our mission by joining our Cube Club and Cube Event Community of experts. Join the community that includes Amazon Web Services and Amazon.com CEO Andy Jassy, Dell Technologies founder and CEO Michael Dell, Intel CEO Pat Gelsinger and many more luminaries and experts.<\/span><\/h3>\n<\/div><\/div>\n