DraftKings Data Breach Exposes Sensitive Information of 67,000 Customers

By   Adeola Adegunwa
Writer , Informationsecuritybuzz | Dec 20, 2022 06:59 am PST

Last week, sports betting company DraftKings revealed that a credential stuffing attack in November exposed the personal information of over 67,000 customers. Credential stuffing attacks involve the use of automated tools to make thousands, if not millions, of attempts to sign into accounts using stolen user and password pairs. These attacks are especially effective when people use the same login information across multiple platforms, allowing attackers to gain access to a large number of accounts.

The attacker’s goal is frequently to steal personal and financial information, which is sold on hacking forums or the dark web. The stolen information, on the other hand, could be used in identity theft scams to make unauthorized purchases or empty linked bank accounts. Individuals must use unique login information for each of their accounts and regularly update their passwords to protect themselves from these types of attacks.

In a notification filed with the Main Attorney General’s office, the company stated that the attackers were able to obtain the credentials needed to access the customers’ accounts from a source outside of DraftKings. The data that may have been accessed by the attackers included names, addresses, phone numbers, email addresses, the last four digits of payment cards, profile photos, transaction histories, account balances, and last password change dates.

Ryan Sherstobitoff, Senior Vice President of Threat Research and Intelligence at SecurityScorecard, said this about the security breach: “Unfortunately, it shouldn’t be a surprise that hackers have used the wealth of sensitive information on DraftKings to steal identities and steal money. DraftKings has been given a grade of C in the cybersecurity rating system maintained by SecurityScorecard. “Lower grades indicate a greater potential for a data breach.”

Sherstobitoff went on to talk more about the importance of suitable cybersecurity measures. He said that these are especially important for organizations that deal with a lot of sensitive data. His advice to businesses was to “have up-to-date cybersecurity procedures that everyone follows” and to “evaluate their cybersecurity strategy, have a complete picture of their attack surface, look for ways to gain visibility into vulnerabilities, and continuously monitor third-party cybersecurity posture to reduce the likelihood of attacks.”

The Dangers of Credential-Stuffing Attacks: What You Need to Know

Individuals and companies should implement several preventative measures to shield themselves from credential-stuffing attacks. One of the best ways to keep hackers out of your online accounts is to use different, hard-to-crack passwords for each one. Even if hackers successfully steal login credentials from one account, it is more difficult for them to gain access to multiple accounts on other accounts. Using a password manager to make and store these unique passwords and ensure they are always up-to-date is another smart thing to do.

Enabling multi-factor authentication (also known as MFA) on all accounts is another essential step. MFA requires that users give more than just their username and password to prove their identity. This can take the form of a code sent to a user’s phone or a biometric scan of the user’s fingerprints. Even if hackers get hold of login information, this measure will make it harder for them to get into an account.

Sharing an individual’s or company’s login information with a third party raises the likelihood that their credentials will be stolen and is, therefore, something that should be done with caution by both individuals and businesses. It is also a good idea to steer clear of using public Wi-Fi networks, as these can be susceptible to cybercriminals who may be able to steal login information from users of these networks.

In addition to taking these steps, people and businesses should keep a close eye on their accounts and immediately report any strange or suspicious activity to their bank or another financial institution. It is also a good idea to review the settings and security measures associated with your account regularly to ensure they are effective and up to date. Individuals and businesses alike can significantly lessen the likelihood of falling prey to credential-stuffing attacks and other cybercrime by following the aforementioned preventative measures.

DraftKings Data Breach Highlights Tips for Protecting Online Accounts

In addition to the measures mentioned above, there are several other ways that businesses can further strengthen their cybersecurity defenses against credential-stuffing attacks and other types of cyber threats. One of such measure is the use of a password manager, which can help generate and store unique and complex passwords for different online accounts. It reduces the risk of password re-use and makes it more difficult for hackers to access multiple accounts.

Another effective measure is the use of rate limiting, which involves setting limits on the number of login attempts that can be made from a single IP address within a given time frame. This helps to prevent automated attacks by requiring the attacker to slow down their attempts or switch to a different IP address, making it more difficult for them to gain access to accounts.

Another important measure is the use of CAPTCHA, which stands for Completely Automated Public Turing test, to tell Computers and Humans Apart. This is a type of challenge-response test that is used to determine whether the user is a human or a machine. By requiring users to enter a code or solve a puzzle, CAPTCHA helps to prevent automated attacks and can significantly reduce the risk of credential-stuffing attacks.

It is also important for businesses to regularly monitor their systems for any suspicious activity and to have robust incident response plans in place to quickly address and resolve any security breaches that do occur. This may involve seeking the assistance of a cybersecurity expert or firm to help identify the source of the attack and implement appropriate countermeasures.

In summary, the recent attack on DraftKings serves as a reminder of the importance of implementing strong cybersecurity measures to protect against credential-stuffing attacks and other types of cyber threats. By following best practices such as using unique and complex passwords, enabling multi-factor authentication, and regularly training employees on how to safeguard login information, businesses can significantly reduce the risk of falling victim to these types of attacks and protect their customers’ sensitive data.

Notify of
5 Expert Comments
Oldest Most Voted
Inline Feedbacks
View all comments
Javvad Malik
Javvad Malik , Security Awareness Advocate
InfoSec Leader
December 21, 2022 2:42 pm

“Credential stuffing attacks can be used to compromise many accounts. This is particularly effective when people reuse the same password across different services or use easily guessible passwords.

Organisations should deploy controls to detect and protect accounts from credential stuffing attacks and also offer multi factor authentication to users which can greatly reduce the number of accounts that criminals can compromise.

Users should also be mindful to not reuse passwords and use strong passwords. A password manager can help in this regard. 

For now, any impacted customers should make sure they change any other accounts passwords where they reused this compromised one.”

Last edited 9 months ago by Javvad Malik
Grant Wyatt
Grant Wyatt , Chief Operating Officer
InfoSec Expert
December 21, 2022 2:41 pm

“Passwords are outdated and provide customers with a poor user experience – and in the gaming industry they no longer meet security requirements or comply with a number of regulations. The recent legislations introduced from New Jersey and, most recently, Pennsylvania, to mandate 2FA login for commercial enterprises, is a major step in the right direction to help operators address security issues. Yet, whilst using conventional multi-step multi-factor authentication – via SMS or authenticator app – helps with the issue at hand, organisations will continue to experience loss of revenue as a result of customer frustration with the many steps involved within the process. This stresses the importance for the sports betting community to embrace change and accept that single-step, passwordless MFA is the future. Passwords are not a reliable security measure and will never be able to meet the needs of an organisation or their regulators and customers.”

Last edited 9 months ago by grant.wyatt
Jonathan Knudsen
Jonathan Knudsen , Senior Security Strategist
InfoSec Expert
December 21, 2022 2:40 pm

“Passwords are hard to manage properly. People use the same password across multiple accounts, write passwords on sticky notes where anyone can see them, and often choose easy-to-guess passwords. Applications have their own problems handling passwords correctly, including storing passwords as plaintext, allowing easy-to-guess passwords, transmitting passwords without encryption, and more.

“Recent attacks against DraftKings take advantage of password-related weaknesses. Users can protect themselves by using strong passwords and using a different password for every account. A password manager can be helpful. Applications can be made stronger by making security part of every phase of development. For example, performing threat modelling during application design would reveal the need to implement security controls that mitigate the risks of credential stuffing. A better design and runtime controls would allow the application to detect and frustrate credential stuffing attacks.”

Last edited 9 months ago by Jonathan Knudsen
Ryan Sherstobitoff
Ryan Sherstobitoff , Senior Vice President of Threat Research and Intelligence
InfoSec Expert
December 21, 2022 2:39 pm

“As one of the major players in the sports betting industry and a host to the personally identifiable information of around 1.6 million monthly unique paying customers, it is, unfortunately, no surprise that hackers have leveraged DraftKings’ wealth of sensitive information to generate identity theft and financial scams. In SecurityScorecard’s cybersecurity rating system, DraftKings is rated a C, with lower grades having a higher likelihood of a breach.

To better defend and protect your organization’s critical systems and ensure operational resilience, companies need to understand the threat. Organizations, especially those that handle large amounts of sensitive information, must have up-to-date cybersecurity procedures that everyone follows. Additionally, it is crucial for companies to evaluate their cybersecurity strategy, have a complete picture of their attack surface, seek ways to gain visibility into vulnerabilities and continuously monitor third-party cybersecurity posture in order to reduce the likelihood of attacks.”

Last edited 9 months ago by Ryan.Sherstobitoff
Rob Griffin
Rob Griffin , CEO
InfoSec Expert
December 21, 2022 2:34 pm

“This story serves as another example of the downfall of optional MFA. With credential stuffing attacks on the rise, it’s absolutely essential that MFA is mandated across the board, and fast. The fact of the matter is, if the victims had enabled MFA, this would not have happened. 

Also interesting here is that the hackers actually used MFA to their advantage, locking customers out of their accounts. This is a perfect example of why SMS is the worst form of MFA. If cybercriminals manage to get hold of a customer’s password and enable SMS MFA using their own phone number, they will have total control over the victim’s account. Beyond this, SMS MFA is slow, clunky and suffers from a high login failure rate due to sms non-delivery or errors copying the code. For apps dependent on providing entertainment, such as online gaming and gambling, this creates friction and delay in users’ journeys. That friction damages users’ overall experience and their engagement in the app. 

Single-step MFA is the solution. Firstly because it it had been mandated across the board, the credential stuffing attack would not have succeeded. Secondly, because it enables both the fastest login of any (2 seconds) and the highest login success rate (99.7% on average).

One thing is for sure, even though most users will have been compensated for their $300,000 loss, they will not have been left with a good experience!”

Last edited 9 months ago by rob.griffin

Recent Posts

Would love your thoughts, please comment.x