DraftKings November data breach exposes 68,000 customer accounts

More than 68,000 DraftKings customers saw their personal information exposed to hackers following a November cyberattack, the sportsbook operator has confirmed.

Information on how many accounts were affected was revealed by the operator as part of data breach notification filed with the US Attorney General’s office in Maine, with 67,995 accounts named across the US.

In respect of Maine, DraftKings confirmed 125 residents had been subjected to a “credential stuffing attack” on November 18, with the data breach identified by the operator on the same day.

Included in this notification were sample letters sent to customers looping in the main US credit information agencies, including Equifax, Experian and TransUnion.

Credential stuffing attacks are cyberattacks where hackers use login credentials obtained from a third-party source to gain access to user accounts.

In most cases, they occur when individuals use the same login credentials on multiple websites.

Reports first began to surface that DraftKings had been the subject of a cyberattack on 22 November , with the company’s stock dropping by almost 9% following the revelations.

The operator later confirmed that almost $300,000 in customer funds had been taken by hackers.

Several users of the sportsbook and igaming operator reported anomalous activity on their accounts, which included the usage of stored credit card information on the DraftKings site to make deposits.

In other instances, as posted on social media, hackers changed phone numbers associated with accounts, making it difficult for users to change their passwords or temporarily lock their accounts, leaving many with no option but to take to Twitter to voice their concerns.

In the wake of the attack, DraftKings advised its users to change passwords and where possible set up twin-factor identification, a generally accepted method of identity theft protection which requires login via two separate devices.

DraftKings confirmed in the breach notification letter to the Attorney General’s office that all monies taken from the affected accounts had been restored to its customers, and that there was no evidence that login credentials used had been obtained via its own software.

“We promptly took steps to address these incidents including, among other things, initiating an internal investigation, requiring affected customers to reset their DraftKings passwords and implementing additional fraud alerts,” the letter states.

“We have restored amounts that have been withdrawn from certain accounts in connection with credential stuffing attacks, as determined and identified by DraftKings. We have also notified certain law enforcement and we intend to assist them,” it adds.