How DraftKings Hackers Pilfered $300K From Bettors And How To Protect Yourself
Three days ago, users of the sports betting service DraftKings began reporting that their accounts had been hacked. In cases in which the hacked accounts contained funds, users reported the hackers attempting to withdraw their funds to newly added bank cards. Yesterday, DraftKings acknowledged these reports publicly, announcing an investigation and directing affected customers to contact the company’s Customer Experience Team. Later that day, DraftKings posted an official statement attributing the account breaches to a widespread credential stuffing attack.
In credential stuffing attacks, threat actors take login credentials stolen in unrelated data breaches and enter them into various services in the hopes that some users re-used the stolen credentials across multiple services. Oftentimes, at least a subset of a service’s users do re-use email addresses, usernames, and passwords across other services, so when threat actors enter stolen credentials, they manage to gain unauthorized access to some users’ accounts.
Services can attempt to protect users’ accounts from credential stuffing attacks by asking for some form of secondary verification when someone tries to log in from an unfamiliar device or IP address. However, the surefire way to avoid falling prey to a credential stuffing is to not re-use passwords. With the help of password managers like Bitwarden or KeePass, users can generate and save a strong, unique password for every one of their accounts. If users don’t re-use passwords, then threat actors can’t leverage stolen passwords to access other accounts.
Users can further secure their accounts by setting up multi-factor authentication (MFA) as well. With MFA enabled, logging in requires an additional authentication step after entering the correct username and password. This additional check can prevent threat actors from accessing users’ accounts even if the threat actors enter the correct login credentials. Enabling MFA can also stop threat actors from enabling MFA on compromised accounts to lock users out of their own accounts.
In credential stuffing attacks, threat actors take login credentials stolen in unrelated data breaches and enter them into various services in the hopes that some users re-used the stolen credentials across multiple services. Oftentimes, at least a subset of a service’s users do re-use email addresses, usernames, and passwords across other services, so when threat actors enter stolen credentials, they manage to gain unauthorized access to some users’ accounts.
Services can attempt to protect users’ accounts from credential stuffing attacks by asking for some form of secondary verification when someone tries to log in from an unfamiliar device or IP address. However, the surefire way to avoid falling prey to a credential stuffing is to not re-use passwords. With the help of password managers like Bitwarden or KeePass, users can generate and save a strong, unique password for every one of their accounts. If users don’t re-use passwords, then threat actors can’t leverage stolen passwords to access other accounts.
Users can further secure their accounts by setting up multi-factor authentication (MFA) as well. With MFA enabled, logging in requires an additional authentication step after entering the correct username and password. This additional check can prevent threat actors from accessing users’ accounts even if the threat actors enter the correct login credentials. Enabling MFA can also stop threat actors from enabling MFA on compromised accounts to lock users out of their own accounts.
According to an official statement by DraftKings, threat actors were recently able to gain unauthorized access to some user accounts with login information compromised on other services. However a number of users have reported that their DraftKings accounts were protected by both unique passwords and two-factor authentication (2FA), which should make a successful credential stuffing attack impossible. If these claims are true, they may point to a potential security breach at DraftKings. Nonetheless, DraftKings seems to deny this conclusion, stating that it has seen no evidence that login information was stolen in a breach of its system.
Rather than deny the claims of either DraftKings or its users, we’d like to present an alternative theory. Some DraftKings users have reported that their accounts on FanDuel, another sports betting service, were also compromised, and DraftKings’ official statement warns users against entering their login credentials into third-party sites that track betting information. Perhaps threat actors managed to steal authentication tokens for both DraftKings and FanDuel accounts from one of these third-party sites. Stolen authentication tokens could possibly grant threat actors access to users’ accounts even if their accounts were protected by unique passwords and 2FA. However, we should be clear that this explanation is simply a guess at this point.
Regardless of how the account breaches took place, it seems that once the threat actors gained access to users’ accounts, they set up SMS 2FA using phone numbers under their control, effectively locking users out of their own accounts. The threat actors then added new bank cards to the compromised accounts and withdrew all the outstanding funds. DraftKings says that the stolen funds amount to less than $300,000. Fortunately for users, the company plans to fully reimburse customers whose funds were stolen.
Rather than deny the claims of either DraftKings or its users, we’d like to present an alternative theory. Some DraftKings users have reported that their accounts on FanDuel, another sports betting service, were also compromised, and DraftKings’ official statement warns users against entering their login credentials into third-party sites that track betting information. Perhaps threat actors managed to steal authentication tokens for both DraftKings and FanDuel accounts from one of these third-party sites. Stolen authentication tokens could possibly grant threat actors access to users’ accounts even if their accounts were protected by unique passwords and 2FA. However, we should be clear that this explanation is simply a guess at this point.
Regardless of how the account breaches took place, it seems that once the threat actors gained access to users’ accounts, they set up SMS 2FA using phone numbers under their control, effectively locking users out of their own accounts. The threat actors then added new bank cards to the compromised accounts and withdrew all the outstanding funds. DraftKings says that the stolen funds amount to less than $300,000. Fortunately for users, the company plans to fully reimburse customers whose funds were stolen.
