New details about a hack from last month show that tens of thousands of users happily gambling away on DraftKings may have had their personal information stolen thanks to account info purchased off the sports gambling site.
In a letter dated Dec. 16 that was apparently sent to users that was first-reported by BleepingComputer, the company said 67,995 people had their personal details exposed to hackers in a breach, adding to the financial hit some select accounts experienced in a brute-force hacking attack last month.
The company wrote that users could have had their account’s name, address, phone number, email address all recorded during the hack. Hackers may have also had access to users’ profile photo, balance, and the last four digits of their payment card. The company said the full card number, as well as the CVV code and expiration date are not stored on the main account page.
In an email statement to Gizmodo, company spokesperson James Chrisholm said the company “provided formal notice of the credential stuffing attacks to certain customers in jurisdictions where required to do so.” The spokesperson added that DraftKings has restored the lost amounts to all affected users. The company also reiterated that they have received “no evidence” user logins came from inside DraftKings.
Last month, users vented their frustrations with the company after they saw their accounts being stripped of funds while being locked out of their accounts, according to reports from the time. All the while, hackers on Twitter were apparently gloating about their robbery as users tried to get responses from DraftKings support channels.
That initial breach back in November saw less than $300,000 drained from user accounts, according to the company. DraftKings co-founder Pauler Liberman previously said in a statement they were making any affected customers whole. The company also said it had reset affected users’ passwords.
BleepingComputer reported that an unknown person or persons who conducted the breach had been selling the accounts with notes on their deposit balances for $10 to $35 a pop. As BleepingComputer noted, the hacked accounts first experienced a $5 deposit which allowed for a password change and a way to set the two-factor authentication to a new phone number in order to cash out the account. A screenshot of instructions for hacking the DraftKings accounts list “Step 5” as “Enjoy your money!”
DraftKings labeled this hack a “credential surfing attack” that was caused by usernames and passwords gained from a “third-party source.” The company implied that the attack was due to users applying their same username and password on different websites, which were then used to access user accounts.
In these kinds of brute force hacks, malicious actors use spamming tools to make millions of sign in attempts at a time using passwords found through outside sources.
As noted by CNBC back in November, rival sports betting app FanDuel also noted an increased number of hacking attempts on its systems.