The DraftKings sports betting company announced that its customers are impacted by the threat actor’s credential stuffing attack, resulting in a loss of about $300,000. The betting entity’s announcement was followed by an investigation of customers who experienced several malfunctions and issues with their accounts.
Based on reports, most accounts that got hacked appear to have an initial deposit of $5, followed by changing passwords. The password changes also triggered the 2FA on a different phone number, and the threat actors withdrew as much money as possible from their victims’ linked bank accounts.
The impacted individuals were frustrated since DraftKings was hard to contact following the incident.
Numerous victims have expressed their disappointments on multiple social media platforms since no one from DraftKings can be contacted regarding the malicious incident. Hence, the customers of the betting platform have witnessed hackers repeatedly getting money from their bank accounts.
However, the company advised its customers never to use an identical password for over one online platform and never reveal credentials to third-party services, such as betting trackers and betting apps, aside from the ones provided by DraftKings.
Customers of the betting app who the campaign has not yet infected should immediately activate their 2FA on their accounts, delete any banking information, or unlink their banks to remove any chance of fraudulent withdrawal requests.
Credential stuffing attacks are automated tools that could execute repeated attempts to acquire access to user accounts using details stolen from other online services. The primary objective of such an attack is to take over as many accounts as possible from the targeted platform to steal any profitable funds.
The most common entities hackers want to obtain are linked personal and financial information that can later be sold or traded on underground marketplaces or malicious hacking forums.
Lastly, the adversaries will utilise the stolen information for future malicious campaigns, like identity theft scams, to execute unauthorised purchases. In this case, for DraftKings accounts, the attackers have transferred money in linked banking accounts to entities they own.