Hackers lift $300,000 in DraftKings credential stuffing attack

American sports betting company DraftKings announced on Monday it had suffered a credential stuffing attack that led to customer losses of up to $300,000. The firm soon said it would return money to clients’ accounts.

Early on Monday, DraftKings tweeted it was investigating reports of customers experiencing issues with their accounts.

Twelve hours later, the company confirmed in another tweet that customer funds were affected but added that it had seen no evidence of DraftKings’ systems having been breached.

Tweet by DraftKings

The common denominator for all accounts that got hijacked seems to be an initial $5 deposit. The attackers then followed by changing the password, enabling two-factor authentication (2FA) on a different phone number, and then withdrawing as much cash as possible from the victims' linked bank accounts.

Some affected customers were actually watching live as the attackers were consistently withdrawing money from the victims’ bank accounts. People said they weren’t able to contact anyone at DraftKings.

“We have identified less than $300,000 of customer funds that were affected, and we intend to make whole any customer that was impacted," DraftKings President and Cofounder Paul Liberman revealed more than 12 hours later.

The company also advised customers never to use the same password for more than one online service and never to share their information with third-party platforms, including betting trackers and betting apps besides the ones provided by DraftKings.

The credential-stuffing campaign, it would seem, is continuing, so DraftKings customers who haven't yet been affected were advised to immediately turn on 2FA on their accounts and remove any banking details from them.

The safest option, though, is to unlink their bank accounts altogether in order to block fraudulent withdrawal requests.

​In credential stuffing, threat actors use automated tools to make repeated attempts – up to millions at a time – to gain access to accounts using credentials, commonly in user/password pairs, stolen from other online services.

This works particularly well against the accounts whose owners have reused credentials across multiple platforms. The vast majority of cybersecurity experts sternly warn against doing so, but research shows that people usually don’t bother and reuse the same simple password on multiple accounts.

The goal of credential stuffing attacks is to take over as many accounts as possible to steal associated personal and financial data. It can later be sold on the dark web or on hacking forums.

For example, the attackers will also use the stolen info in future identity theft scams to make unauthorized purchases or – as it happened in the case of hijacked DraftKings accounts – transfer money in linked banking accounts to accounts under their control.

The Federal Bureau of Investigations (FBI) warned recently that these attacks are quickly growing in volume, thanks to the mushrooming of aggregated lists of leaked credentials and automated tools.

For example, Cybernews reported in June that scammers stole the credentials of hundreds of millions of Facebook users and made around $59 million in total since the end of 2021.