Recently, there was a breach to multiple DraftKings users accounts.
As a quick recap, DraftKings is a daily fantasy sports contest and sports betting company based in the United States.
The breach described as a credential stuffing attack – when an attacker uses already leaked credentials (login username and password) of a digital account to hack into another account.
Credential stuffing naturally becomes possible where the victim recycles passwords – uses same or similar passwords for several accounts – and where there isn’t an MFA protection.
In the breach of DraftKings users, an unknown number of users discovered that money deposited in their account was stolen. The company compensated the users affected by the attack in the total amount of $300,000.
This is actually quite a peculiar event in the cybercrime landscape.
The interesting fact is that DraftKings says its systems were not hacked. However, the company suffered financial loss, due to the compensation, and possibly also a reputation damage.
The event demonstrates the significance of leaked credentials as a threat intelligence source, especially with regards to accounts which contain deposited balance, or permission to withdraw money from a bank account, and also accounts with sensitive information, when the incentive to commit credential stuffing is higher. Those kinds of accounts, in particular, should be protected by a unique password (from the client’s side), and by an added layer of authentication, e.g., MFA (from the provider’s side).
Another interesting fact, which by-context emphasizes our takes, is that one of DraftKings competitors, FanDuel, has also seen an increase in account takeover attempts against its users.
SLING risk score calculates leaked credential dumps gathered from multiple Darknet and Telegram sources, and takes into consideration the possibility of credential stuffing.