Nasdaq-listed sports betting company DraftKings Inc. has revealed that nearly 68,000 customers had their personal information exposed in a credential stuffing attack in November.

A credential stuffing attack is a type of cyberattack where an attacker uses stolen account credentials from other hacks to gain access to a third-party system. The attack method relies on the unfortunate fact that many users use the same password for multiple sites.

The attack on DraftKings did gain headlines when it occurred, with the company saying at the time that there was no evidence that their systems were breached after reports suggested that they had been hacked. The company also said that it had identified less than $300,000 of customer funds that had been affected by “unusual activity” and would compensate customers affected.

Exactly how many customers were affected has now been revealed in a data breach notification filed by DraftKings with the Maine Attorney General’s Office that was first spotted by Bleeping Computer – 67,995.

In the letter, DraftKings says that they detected the credential stuffing attack on Nov. 18, launched an investigation and took several steps, including requiring affected customers to reset their DraftKings passwords and implement additional fraud alerts.

The investigation found that while there was no evidence that login credentials were obtained from DraftKings, the bad actors were able to log into certain accounts. In the event an account was accessed, the attacker could have viewed the account holder’s name, address, phone number, email address, profile photo, information about prior transactions and the last four digits of payment cards. No evidence was found that the attackers accessed Social Security, driver’s licenses, or financial account numbers.

Affected users are recommended to change account passwords if they have not done so already, not only on DraftKings but on other sites as well. Users are also advised to review accounts and credit reports and to consider placing a security freeze on their credit reports.

Given that credential stuffing was used, DraftKings is not offering free credit monitoring to users. While unfortunate, the case highlights the risk of reusing passwords across multiple sites. However, there are ways companies can reduce the risk of credential-stuffing attacks.

“As one of the major players in the sports betting industry and a host to the personally identifiable information of around 1.6 million monthly unique paying customers, it is, unfortunately, no surprise that hackers have leveraged DraftKings’ wealth of sensitive information to generate identity theft and financial scams,” Ryan Sherstobitoff, senior vice president of Threat Research and Intelligence at security rating company SecurityScorecard Inc., told SiliconANGLE. “In SecurityScorecard’s cybersecurity rating system, DraftKings is rated a C, with lower grades having a higher likelihood of a breach.”

Sherstobitoff emphasized that organizations, especially those that handle large amounts of sensitive information, must have up-to-date cybersecurity procedures that everyone follows.

“Additionally, it is crucial for companies to evaluate their cybersecurity strategy, have a complete picture of their attack surface, seek ways to gain visibility into vulnerabilities and continuously monitor third-party cybersecurity posture in order to reduce the likelihood of attacks,” Sherstobitoff added.

Image: DraftKings

Show your support for our mission by joining our Cube Club and Cube Event Community of experts. Join the community that includes Amazon Web Services and Amazon.com CEO Andy Jassy, Dell Technologies founder and CEO Michael Dell, Intel CEO Pat Gelsinger and many more luminaries and experts.


Source link

Load More By Michael Smith
Load More In Technology
Comments are closed.

Check Also

Autocar magazine 1 February: on sale now

[ad_1] This week in Autocar, we put Porsche’s new 911 ‘SUV’ through its paces, break the s…