- This is the soundbar I recommend if you want the most immersive sound - even if it's a year old
- This cheap fix to make my Google Pixel Buds Pro sound so much better
- No, RedNote is not the new TikTok - and here's why
- Good news! You can stream Super Bowl LIX for free this year on Tubi
- Bye bye, Wi-Fi: this low-cost adapter lets you set up a wired network without running ethernet
Credential Stuffers Steal $300K from DraftKings Customers
Sports betting site DraftKings has promised to reimburse an undisclosed number of customers after they lost $300,000 through a suspected credential stuffing campaign.
A statement from the firm’s co-founder, Paul Liberman, late yesterday noted that some customers had experienced “irregular activity” with their accounts.
“We currently believe that the login information of these customers was compromised on other websites and then used to access their DraftKings accounts where they used the same login information,” it continued.
“We have seen no evidence to suggest that DraftKings’ systems were breached to obtain this information.”
That would seem to indicate classic credential stuffing attacks, where threat actors buy up username/password combos from underground breach sites, feed them into automated tools and try them en masse across the internet, to see where they’ve been reused by individuals.
Liberman said he would “make whole” any customer that was impacted, although the firm presumably has no liability in this case.
However, the company does appear to have been slow to respond to customer complaints, which in turn may have enabled the threat actors to make off with more customer funds from bank accounts linked to their DraftKings accounts.
It appears that, once they had hijacked these accounts, the cyber-criminals changed the passwords and enabled two-factor authentication (2FA) for a phone number in their possession, locking out the legitimate customer.
“Messaged the ‘24/7’ support team multiple times as my money was being stolen,” said one angry customer on Twitter. “Could have easily been stopped in real time as I identified the scam immediately, but no one was there on the two busiest sports betting days of the week.”
Liberman urged customers to use unique passwords on all sites they login to across the web, and not to share these credentials with any third parties. However, he omitted to mention the importance of switching on 2FA, which adds an extra layer of protection from credential stuffing attacks.
