The sports betting company DraftKings has revealed that thousands of its customers have had their personal information exposed following a credential attack in November 2022. This was, as Bleeping Computer reports, due to a form of credential stuffing attack. Here automated tools are used to make a large number of attempts (up to millions at a time) to sign into accounts using credentials (user/password pairs) stolen from other online services.
With the DraftKings breach, the incident was significant and it reportedly exposed the data of 67,000 people.
According to DraftKings (via SC Media): “In the event an account was accessed, among other things, the attacker could have viewed the account holder’s name, address, phone number, email address, last four digits of payment card, profile photo, information about prior transactions, account balance, and last date of password change.”
To examine the implications, Digital Journal has heard from Ryan Sherstobitoff, Senior Vice President of Threat Research and Intelligence at SecurityScorecard.
Sherstobitoff looks at the incident, highlighting the company’s involvement in the gambling sector and connected with sports (areas that both lead to the storing of large amounts of valuable data).
Sherstobitoff notes: “As one of the major players in the sports betting industry and a host to the personally identifiable information of around 1.6 million monthly unique paying customers, it is, unfortunately, no surprise that hackers have leveraged DraftKings’ wealth of sensitive information to generate identity theft and financial scams.”
This leads to some vulnerabilities, which Sherstobitoff calls out as: “In SecurityScorecard’s cybersecurity rating system, DraftKings is rated a C, with lower grades having a higher likelihood of a breach.”
There are some pointers that can be drawn from the incident and which will be of value to a multitude of businesses. Sherstobitoff identifies: “To better defend and protect your organization’s critical systems and ensure operational resilience, companies need to understand the threat. Organizations, especially those that handle large amounts of sensitive information, must have up-to-date cybersecurity procedures that everyone follows.”
Furthermore, Sherstobitoff finds: “Additionally, it is crucial for companies to evaluate their cybersecurity strategy, have a complete picture of their attack surface, seek ways to gain visibility into vulnerabilities and continuously monitor third-party cybersecurity posture in order to reduce the likelihood of attacks.”