How DraftKings Hackers Pilfered $300K From Bettors And How To Protect Yourself
In credential stuffing attacks, threat actors take login credentials stolen in unrelated data breaches and enter them into various services in the hopes that some users re-used the stolen credentials across multiple services. Oftentimes, at least a subset of a service’s users do re-use email addresses, usernames, and passwords across other services, so when threat actors enter stolen credentials, they manage to gain unauthorized access to some users’ accounts.
Services can attempt to protect users’ accounts from credential stuffing attacks by asking for some form of secondary verification when someone tries to log in from an unfamiliar device or IP address. However, the surefire way to avoid falling prey to a credential stuffing is to not re-use passwords. With the help of password managers like Bitwarden or KeePass, users can generate and save a strong, unique password for every one of their accounts. If users don’t re-use passwords, then threat actors can’t leverage stolen passwords to access other accounts.
Users can further secure their accounts by setting up multi-factor authentication (MFA) as well. With MFA enabled, logging in requires an additional authentication step after entering the correct username and password. This additional check can prevent threat actors from accessing users’ accounts even if the threat actors enter the correct login credentials. Enabling MFA can also stop threat actors from enabling MFA on compromised accounts to lock users out of their own accounts.
Rather than deny the claims of either DraftKings or its users, we’d like to present an alternative theory. Some DraftKings users have reported that their accounts on FanDuel, another sports betting service, were also compromised, and DraftKings’ official statement warns users against entering their login credentials into third-party sites that track betting information. Perhaps threat actors managed to steal authentication tokens for both DraftKings and FanDuel accounts from one of these third-party sites. Stolen authentication tokens could possibly grant threat actors access to users’ accounts even if their accounts were protected by unique passwords and 2FA. However, we should be clear that this explanation is simply a guess at this point.
Regardless of how the account breaches took place, it seems that once the threat actors gained access to users’ accounts, they set up SMS 2FA using phone numbers under their control, effectively locking users out of their own accounts. The threat actors then added new bank cards to the compromised accounts and withdrew all the outstanding funds. DraftKings says that the stolen funds amount to less than $300,000. Fortunately for users, the company plans to fully reimburse customers whose funds were stolen.