"Personal Information of 68,000 DraftKings Users Exposed in Credential Stuffing Attack"
DraftKings, a Nasdaq-listed sports betting company, revealed that the personal information of almost 68,000 clients was exposed in a credential stuffing attack in November. A credential stuffing attack is a cyberattack in which an attacker leverages previously stolen account credentials to gain access to a third-party system. This method of attack relies on the poor practice reusing passwords across multiple websites. DraftKings said at the time that there was no indication that its systems had been compromised, despite reports suggesting that the company's systems had been infiltrated. The company also stated that it detected less than $300,000 in customer funds affected by unusual activity and would pay impacted customers. DraftKings filed a report of a data breach with the Maine Attorney General's Office on December 16, revealing the exact number of affected consumers. The company states in the letter that it discovered the credential stuffing attack on November 18, conducted an investigation, and took multiple steps, including ordering affected consumers to reset their DraftKings passwords and implementing extra fraud alerts. The investigation revealed that while there was no proof that DraftKings login credentials were stolen, the malicious actors were nonetheless able to access some accounts. If an account was compromised, the attacker might have collected the account holder's name, address, phone number, email address, profile photo, transaction history, and the last four digits of payment cards. There was no evidence that the attackers gained access to Social Security numbers, driver's license information, or financial account data. Users are urged to change their passwords if they have not already done so, not only on DraftKings but also on other sites. Users are also encouraged to review their accounts and credit reports, and to consider freezing their credit reports. This article continues to discuss the credential stuffing attack experienced by DraftKings that resulted in the exposure of nearly 68,000 customers' personal information.