"Hackers Steal $300,000 in DraftKings Credential Stuffing Attack"

DraftKings, a sports betting company, has announced that it would refund all customers who were affected by a credential stuffing attack that resulted in losses of up to $300,000. The statement comes after DraftKings tweeted that it was looking into reports of customers having problems with their accounts. The initial $5 deposit appears to be the common denominator for all accounts that were hijacked, followed by the attackers changing the password, enabling two-factor authentication (2FA) on a different phone number, and then withdrawing as much as possible from the victims' linked bank accounts. Some victims have also expressed their dissatisfaction on social media because they were unable to contact anyone at DraftKings while the attackers continued to withdraw money from their bank accounts. According to DraftKings President and Co-founder Paul Liberman, the login information of these customers was compromised on other websites and then used to access DraftKings accounts where they used the same login information. Customers were advised not to use the same password for more than one online service and not to share their credentials with third-party platforms, such as betting trackers and betting apps other than those provided by DraftKings. Customers who have not yet been affected by this credential stuffing campaign should immediately enable 2FA on their accounts and remove any banking details or unlink their bank accounts to prevent fraudulent withdrawal requests. As the FBI recently warned, credential stuffing attacks are rapidly increasing in volume as a result of easily accessible aggregated lists of leaked credentials and automated tools. This article continues to discuss the DraftKings credential stuffing attack that resulted in the theft of $300,000 and the rise of such attacks.

Bleeping Computer reports "Hackers Steal $300,000 in DraftKings Credential Stuffing Attack"