U.S. sports betting company DraftKings revealed on Monday that a threat actor has stolen approximately $300,000 from its customers’ accounts. In a statement, DraftKings co-founder Paul Liberman said the company would refund the affected accounts.
The breach occurred late on Sunday. Several affected DraftKing customers said they noticed unauthorized transactions on their accounts.
Liberman noted that there are no signs DraftKings’ systems have been breached.
“We currently believe that the login information of these customers was compromised on other websites and hen used to access their DraftKings account where they use the same login information,” he said.
It is unclear how many DraftKings customers were affected.
DraftKings Customer Support Under Fire
Based on accounts from multiple victims, the attacks appear to follow a similar pattern. The attacker makes a $5 deposit, changes the password and the phone number associated with the account, and then withdraws money from the DraftKings account or linked bank account.
Some affected customers said they received real-time messages notifying them about withdrawals. However, they could not prevent the theft because the attacker had locked them out of their accounts.
Several customers have criticized DraftKings on social media for its poor customer support. One customer told sports betting site Action Network that the live chat feature on the DraftKings site didn’t work. Instead, he was directed to fill out a form and wait for a response from the company.
On Sunday, as customers expressed alarm on social media after noticing unauthorized withdrawals on their accounts, DraftKings acknowledged the issue.
“We are aware of reports of customers having issues with their accounts, and we are investigating,” DraftKings said in a tweet. “If any customers are having issues with their accounts, please contact Customer Experience Team at [email protected]”
One customer claims he sent multiple messages to the DraftKings support team, but did not get a response.
Don’t Re-Use Passwords
Liberman cautioned DraftKings customers against re-using the same credentials on multiple platforms.
“We strongly encourage customers to use unique passwords for DraftKings and all other sites, and strongly recommend that customers do not share passwords with anyone, including third party sites for the purposes of tracking betting information on DraftKings and other betting apps,” he said.
Cybersecurity professionals also advise against using the same credentials on different platforms, as you’re left exposed if your login is ever leaked. Hackers often sell stolen credentials on hacker forums or dark web marketplaces. Cybercriminals take advantage of these leaked credentials to orchestrate credential stuffing attacks and other malicious schemes.
In 2020, the FBI warned about a rise in credential stuffing attacks, targeting the U.S. financial sector. Earlier this year, the New York State Attorney said 1.1 million accounts belonging to prominent New York businesses were victims of credential stuffing attacks.
It’s nearly impossible to create and remember strong passwords for all your online accounts. We recommend using a secure password manager to avoid falling into the habit of re-using the same credentials. Our article on the best passwords of 2022 contains some excellent suggestions.