More than 67,000 customers of the popular sports betting operator Draft Kings had their personal information compromised in a data breach in November, the company said recently. More than $300,000 was stolen from accounts, which has already been restored by DraftKings.
The hackers gained access to DraftKings’ database by a popular method called credential stuffing. The attack uses automated tools to make millions of attempts to sign into accounts with usernames and passwords that have been stolen from other online accounts.
If a user has used the same login information for another account, such as Facebook, Amazon, or Ebay, the hackers can successfully gain entry into another account.
The attackers aim to take over as many accounts as possible to steal personal and financial info, which gets sold on hacking forums or the dark web. However, the stolen information may also be used in identity theft scams to make unauthorized purchases or empty banking accounts linked to compromised accounts.
The company filed a data breach notification with the Attorney General’s office regarding the incident. They said the credentials needed to log into customer’s accounts came from a non-DraftKings source.
“In the event an account was accessed, among other things, the attacker could have viewed the account holder’s name, address, phone number, email address, last four digits of payment card, profile photo, information about prior transactions, account balance, and last date of password change,” the breach notification reads.
The company sent an email to those affected.
“At this time, there is currently no evidence that the attackers accessed your Social Security number, driver’s license number or financial account number,” the email read. “While bad actors may have viewed the last four digits of your payment card, your full payment card number, expiration date, and your CVV are not stored in your account.”
To try and prevent further attacks, DraftKings reset the passwords of the affected accounts and company officials said they implemented additional fraud alerts.
DraftKings is also telling customers to never use the same password that they use for other online accounts and to never share personal information with a third party.