Sports betting company DraftKings said today that it will cause entire customers to be affected by a credential stuffing attack that will result in losses of up to $300,000.

The statement follows an early Monday morning tweet saying that DraftKings was investigating reports [1, 2, 3, 4] customers experiencing problems with their accounts.

The common denominator for all accounts that have been hacked appears to be an initial deposit of $5 followed by the attackers changing the password, enabling two-factor authentication (2FA) on a different phone number, then withdrawing as much as possible link of the victims. Bank accounts.

Some victims also expressed their frustration on social media as they were unable to get in touch with anyone at DraftKings while having to watch the attackers repeatedly withdraw money from their bank accounts.

“We currently believe that these customers’ login credentials were compromised on other websites and then used to access their DraftKings accounts where they used the same login credentials,” revealed DraftKings president and co-founder Paul Liberman more than 12 hours later.

“We have not seen any evidence that DraftKings systems were hacked to obtain this information. We have identified less than $300,000 in customer funds that have been affected, and we intend to repair any customers that have been hit.”

The company advised customers never to use the same password for more than one online service and never to share their credentials with third-party platforms, including betting trackers and online betting apps. more than those provided by DraftKings.

DraftKings customers who have not yet been impacted by this credential stuffing campaign are urged to immediately enable 2FA on their accounts and remove all bank details or better yet unlink their bank accounts to block fraudulent withdrawal requests.

​In credential stuffing, threat actors use automated tools to repeatedly attempt (up to millions at a time) to gain access to user accounts using credentials (usually pairs username/password) stolen from other online services.

This works especially well against accounts whose owners have reused credentials across multiple platforms.

The goal is to take control of as many accounts as possible to steal associated personal and financial information which can then be sold on the dark web or hacking forums.

Attackers will also use stolen information in future identity theft scams to make unauthorized purchases or, as happened in the case of hacked DraftKings accounts, transfer money to bank accounts linked to accounts under their control.

As the The FBI recently warnedthese attacks are rapidly increasing in volume thanks to readily available aggregated lists of leaked credentials and automated tools.

Okta also reported that the situation has worsened significantly this year, as it recorded more than 10 billion credential stuffing events on its platform in the first three months of 2022.

This figure represents approximately 34% of the overall authentication traffic Okta tracks, meaning that a third of all login attempts are malicious and fraudulent.