DraftKings is a popular online sports gambling site where users can place bets on their favorite sports teams and events. The company reported on November 21, 2022 that a large number of accounts had been compromised due to a credential stuffing attack from a third party attacker. The information of more than 67,000 users was exposed including names, addresses, phone numbers, email addresses and profile pictures. While DraftKings insists they do not store credit card numbers, card expiration dates or CVVs, some historical transaction information could have been exposed such as the last four digits of payment cards and dates concerning prior transactions or password changes. Most alarming however was the fact that some users had money withdrawn from their bank accounts which were linked to their DraftKings profile. Up to $300,000 was stolen by the attackers. DraftKings has pledged to reimburse any users that lost money resulting from the incident. Draft King stock declined 10% immediately after the attack was reported.
|IDENTIFY INDICATORS OF COMPROMISE (IOC)|
DraftKings was tipped off about the attack by unusual logon and bank withdraw activity that was occurring in real time. In addition, DraftKings users repeatedly attempted to contact the company as they observed unauthorized transactions resulting in money being withdrawn from their accounts. Throughout the attack, the cybercriminals followed a definite pattern. Once they logged on successfully to an account, they added a new bank account to the profile and deposited a $5 promotional related reward. They then added an additional phone number used it to enable two-factor authentication. This prevented the actual account holders from accessing their accounts, allowing the attackers to then empty the user’s bank account into their newly added account.
|CONTAINMENT (If IoCs are identified)|
DraftKings took additional unpublished actions to secure the compromised accounts. All users were then prompted to reset their passwords. The company sent notification letters to all users informing them of the incident. The company notified local law enforcement and began conducting its own investigation as well. Customers are being encouraged to monitor their account statements and credit reports for the time being.
Credential stuffing attacks are on the rise. According to identity and access management company, Okta, more than 10 billion credential stuffing events occurred on its platform alone in the first quarter of 2022. That represents roughly 34% of all authentication traffic on their site. The DraftKings attack demonstrates how vulnerable online accounts that aren’t protected by MFA. Cybercriminals harvest giant list of stolen account credentials and use them to access highly popular websites and online services. Because users often use the same email address and password for all their accounts, attackers can throw these credentials at other online banking sites and online retail sites. Ideally, users should use a different password for every online account they have. Because this is difficult to manage, users should at the least separate their online accounts into various tiers of sensitivity. This means that while you may have robust and complex the same password for separate banking and brokerage accounts, that password will be different than the password protecting a magazine subscription. The password assigned to your financial accounts will also be more robust, complex as well.