Users of the popular sports betting platform DraftKings were the recipients of a credential stuffing attack that cost its victims approximately $300,000.
Issuing a statement via Twitter, the company’s co-founder and president, Paul Liberman, said that the platform’s systems were not compromised, but that the incident was the result of bad cybersecurity practices by users.
“DraftKings is aware that some customers are experiencing irregular activity with their accounts. We currently believe that login information (opens in a new tab) of these customers was compromised on other websites and then used to access their DraftKings accounts where they used the same login information,” the statement read. “We have seen no evidence that DraftKings systems have been breached to obtain this information.”
Liberman went on to say that even though this was the end users’ mistake, the company will still refund affected customers:
“We have identified less than $300,000 of client funds that were affected, and we intend to make reparations to any clients that have been affected.”
During the attack, users found themselves locked out of their accounts, and in some cases, the attackers even set up two-factor authentication using their phone numbers.
Credential stuffing is a popular method in the cybercriminal community. Out of sheer convenience, many consumers end up using the same username/password combination for several different services.
The problem with this approach is that once one of those services is compromised, users risk losing much more. Cybercriminals are also aware of this fact and often use automated scripts to test login credentials obtained from a wide variety of services, from social media to retail sites to banking and gambling accounts.
Users are encouraged to create strong, unique passwords for all of their online accounts and use password managers to keep that information secure.
Via: Register (opens in a new tab)