DraftKings, a company that offers sports betting, recently announced that it would compensate clients who were harmed by a credential-stuffing assault that resulted in losses of up to $300,000, according to a report by BleepingComputer.
The company issued the statement following an early Monday morning tweet in which DraftKings said it was looking into customer complaints of account problems.
Two-Factor Authentication for Hacking
All accounts that were compromised appear to have had an initial $5 deposit made, after which the hackers changed the password and enabled two-factor authentication using a different phone number, before taking as much money as they could out of the victims' linked bank accounts.
"We currently believe that the login information of these customers was compromised on other websites and then used to access their DraftKings accounts where they used the same login information," DraftKings President and Cofounder Paul Liberman said in a statement.
The business claims to have seen no proof of a breach of DraftKings' security to get this information. It also claims that less than $300,000 in client funds have been impacted, and they intend to reimburse any customers who were harmed.
Customers were urged not to share their login information with third parties, such as betting trackers and betting applications other than those offered by DraftKings, and never to use a single password for more than one online account.
Customers who are not affected by the attack are also urged to disable two-factor authentication right away, erase any banking information, and disconnect their banking accounts to prevent them from bogus withdrawal requests.
Read also: Hackers Steal Sensitive Data From Medibank, Leaks Information of Aussie Women Who Had Abortions
All About Credential Stuffing Attack
Threat actors in credential stuffing employ automated tools to log into user accounts using stolen login information from various online services.
This is especially effective when used against accounts whose owners have used the same login information on other platforms, according to BleepingComputer.
The objective is to hack as many accounts to gain the associated financial and personal information, which may then be sold on the dark web or hacking sites.
The hackers may even transfer funds from linked banking accounts to accounts under their control, as was the case with the DraftKings accounts, by using the stolen information in future identity theft operations to make illegal transactions.
According to a recent FBI warning, the volume of these attacks is rapidly increasing as a result of easily accessible aggregated databases of exposed credentials and automated tools.
The FBI added that mobile applications have also been a target of credential-stuffing assaults because of their weak security.
Related Article : US Charges Ukrainian National of Involvement With 'Raccoon Infostealer' Malware Scheme
This article is owned by Tech Times
Written by Jace Dela Cruz