DraftKings discloses data breach caused by credential stuffing attack

Sports gambling firm DraftKings has informed customers of a recent “security incident” in which hackers managed to steal personal information.

In a data breach notification addressed to the Office of the Massachusetts Attorney General, the American gambling company states it became aware of the incident on September 2nd. An unauthorized party successfully gained access to a “limited account” of personal data.

The attackers exfiltrated full names, postal addresses, dates of birth, telephone numbers, email addresses, the last four digits of payment cards, profile photos, transaction overviews, balances, and dates that passwords were last changed.

DraftKings’ investigation showed there was no evidence that login credentials were obtained from the company’s computer servers or networks. Instead, these were stolen from an external source and used in this attack. This is called a credential stuffing attack.

A credential stuffing attack is an attack in which hackers use login details to log in to various online services. Attackers check whether they can log in to a website by using login details from another website. However, this attack method only works if people reuse the same password for multiple online accounts, and if companies allow such automated attacks.

“The security of your personal information is important to DraftKings, which is why we promptly took steps to address this incident, including, among other things, by initiating an internal investigation, requiring potentially affected customers to reset their DraftKings account passwords, requiring multifactor authentication for logins to DK Horse accounts, and implementing additional technical measures designed to prevent similar attacks,” the gambling firm says in its data breach notification.

DraftKings is asking affected customers to change their account password, review bank statements, and be alert for fraud alerts.

The data breach notification doesn’t say how many customers have been involved in the incident. However, a company spokesperson told BleepingComputer that the attack impacted fewer than 30 customers.

“DraftKings reported a potential security incident involving suspicious logins to the accounts of less than 30 customers. Our investigation to date has observed no evidence that the login credentials used were obtained from DraftKings or that DraftKings’ computer systems or networks were breached. Most importantly, no customers have experienced financial loss because of this incident,” the spokesperson said.

This is the second time DraftKings has had to deal with a credential stuffing attack. Back in November 2022, the betting company revealed that personal information of almost 68,000 customers was exposed in a credential stuffing attack.