Last week, sports betting company DraftKings revealed that a credential stuffing attack in November exposed the personal information of over 67,000 customers. Credential stuffing attacks involve the use of automated tools to make thousands, if not millions, of attempts to sign into accounts using stolen user and password pairs. These attacks are especially effective when people use the same login information across multiple platforms, allowing attackers to gain access to a large number of accounts.
The attacker’s goal is frequently to steal personal and financial information, which is sold on hacking forums or the dark web. The stolen information, on the other hand, could be used in identity theft scams to make unauthorized purchases or empty linked bank accounts. Individuals must use unique login information for each of their accounts and regularly update their passwords to protect themselves from these types of attacks.
In a notification filed with the Main Attorney General’s office, the company stated that the attackers were able to obtain the credentials needed to access the customers’ accounts from a source outside of DraftKings. The data that may have been accessed by the attackers included names, addresses, phone numbers, email addresses, the last four digits of payment cards, profile photos, transaction histories, account balances, and last password change dates.
Ryan Sherstobitoff, Senior Vice President of Threat Research and Intelligence at SecurityScorecard, said this about the security breach: “Unfortunately, it shouldn’t be a surprise that hackers have used the wealth of sensitive information on DraftKings to steal identities and steal money. DraftKings has been given a grade of C in the cybersecurity rating system maintained by SecurityScorecard. “Lower grades indicate a greater potential for a data breach.”
Sherstobitoff went on to talk more about the importance of suitable cybersecurity measures. He said that these are especially important for organizations that deal with a lot of sensitive data. His advice to businesses was to “have up-to-date cybersecurity procedures that everyone follows” and to “evaluate their cybersecurity strategy, have a complete picture of their attack surface, look for ways to gain visibility into vulnerabilities, and continuously monitor third-party cybersecurity posture to reduce the likelihood of attacks.”
The Dangers of Credential-Stuffing Attacks: What You Need to Know
Individuals and companies should implement several preventative measures to shield themselves from credential-stuffing attacks. One of the best ways to keep hackers out of your online accounts is to use different, hard-to-crack passwords for each one. Even if hackers successfully steal login credentials from one account, it is more difficult for them to gain access to multiple accounts on other accounts. Using a password manager to make and store these unique passwords and ensure they are always up-to-date is another smart thing to do.
Enabling multi-factor authentication (also known as MFA) on all accounts is another essential step. MFA requires that users give more than just their username and password to prove their identity. This can take the form of a code sent to a user’s phone or a biometric scan of the user’s fingerprints. Even if hackers get hold of login information, this measure will make it harder for them to get into an account.
Sharing an individual’s or company’s login information with a third party raises the likelihood that their credentials will be stolen and is, therefore, something that should be done with caution by both individuals and businesses. It is also a good idea to steer clear of using public Wi-Fi networks, as these can be susceptible to cybercriminals who may be able to steal login information from users of these networks.
In addition to taking these steps, people and businesses should keep a close eye on their accounts and immediately report any strange or suspicious activity to their bank or another financial institution. It is also a good idea to review the settings and security measures associated with your account regularly to ensure they are effective and up to date. Individuals and businesses alike can significantly lessen the likelihood of falling prey to credential-stuffing attacks and other cybercrime by following the aforementioned preventative measures.
DraftKings Data Breach Highlights Tips for Protecting Online Accounts
In addition to the measures mentioned above, there are several other ways that businesses can further strengthen their cybersecurity defenses against credential-stuffing attacks and other types of cyber threats. One of such measure is the use of a password manager, which can help generate and store unique and complex passwords for different online accounts. It reduces the risk of password re-use and makes it more difficult for hackers to access multiple accounts.
Another effective measure is the use of rate limiting, which involves setting limits on the number of login attempts that can be made from a single IP address within a given time frame. This helps to prevent automated attacks by requiring the attacker to slow down their attempts or switch to a different IP address, making it more difficult for them to gain access to accounts.
Another important measure is the use of CAPTCHA, which stands for Completely Automated Public Turing test, to tell Computers and Humans Apart. This is a type of challenge-response test that is used to determine whether the user is a human or a machine. By requiring users to enter a code or solve a puzzle, CAPTCHA helps to prevent automated attacks and can significantly reduce the risk of credential-stuffing attacks.
It is also important for businesses to regularly monitor their systems for any suspicious activity and to have robust incident response plans in place to quickly address and resolve any security breaches that do occur. This may involve seeking the assistance of a cybersecurity expert or firm to help identify the source of the attack and implement appropriate countermeasures.
In summary, the recent attack on DraftKings serves as a reminder of the importance of implementing strong cybersecurity measures to protect against credential-stuffing attacks and other types of cyber threats. By following best practices such as using unique and complex passwords, enabling multi-factor authentication, and regularly training employees on how to safeguard login information, businesses can significantly reduce the risk of falling victim to these types of attacks and protect their customers’ sensitive data.