In late November 2022, sports betting firm DraftKings announced that it had suffered a data breach affecting approximately 68,000 customers. The company stated that the breach resulted from a credential stuffing attack, in which attackers obtained credentials from a third-party source and attempted to use them to access DraftKings accounts.
According to DraftKings, the attackers were able to withdraw around $300,000 from compromised accounts before the breach was discovered. The company has since refunded all stolen funds to affected customers.
While the attack did not involve a breach of DraftKings’ systems, the company has disclosed that personal information such as names, addresses, phone numbers, email addresses, and profile pictures may have been compromised in the attack. Additionally, the attackers may have accessed the last four digits of payment cards, details of prior transactions, and the date of the last password change for affected accounts.
DraftKings has emphasized that there is no evidence that social security numbers, driver’s license numbers, or financial account numbers were compromised in the attack. The company also noted that it does not store full payment card numbers, expiration dates, or CVVs, so these types of sensitive information were not at risk.
In response to the data breach, DraftKings has prompted impacted customers to reset their account passwords and has urged all customers to review their account and credit reports for any suspicious activity. The company has also informed the Maine Attorney General that the attack impacted 67,995 individuals.
The data breach at DraftKings highlights the importance of protecting personal and financial information from cyber attacks. As a business owner, it is important to implement strong password policies, regularly update software and security protocols, and monitor for suspicious activity to protect against credential-stuffing attacks and other cyber threats. Additionally, it is crucial for individuals and organizations to use unique, strong passwords for each account and to regularly update these passwords to reduce the risk of falling victim to a credential-stuffing attack. By taking these precautions, you can help ensure the security of your business and your customers’ personal and financial information.