DraftKings customers fall victim to credential harvesting.

DraftKings has fallen victim to a hack, the Action Network reported yesterday. Some users reported suspicious bank activity from the online betting platform, changed login credentials, and spam emails. The company, however, reports no breach of systems.

Unauthorized withdrawals.

DraftKings users reported unauthorized withdrawals from the cards they used to make deposits in their DraftKings accounts, the Action Network report states. User Justin White reported that his login credentials didn’t work, and the reply text from DraftKings was sent to the number on file, which had been changed so it was no longer his. When attempting to check his email attached to the account for evidence of the withdrawals, there were hundreds of spam emails intended to hide them. Changed phone numbers seem to be a theme in this hack, as other users report the same experience.

Company reports no evidence of systems breach.

CNBC reported yesterday that the online betting platform has said they’ve found no evidence of a breach of systems following the hacking reports. The company reports that less than $300,000 of customer funds were affected, and DraftKings’ co-founder and president for global technology and product, Paul Liberman, said in a statement, “DraftKings is aware that some customers are experiencing irregular activity with their accounts. We currently believe that the login information of these customers was compromised on other websites and then used to access their DraftKings accounts where they used the same login information.” DraftKings says that it intends to “make whole any customer that was impacted” by the hacks.

Industry comment on digital hygiene and best practices.

DraftKings thinks customer login credentials were compromised on other sites where they’d been reused, which suggests some familiar lessons about sound password practices and the value of multifactor authentication. 

James McQuiggan, security awareness advocate at KnowBe4, commented on the incident, saying, “Cybercriminals profit when users have the same passwords for multiple accounts and do not enable Multifactor Authentication (MFA) on their accounts. When users have the same password for various accounts, cybercriminals will probably gain access to that account. Victims will feel it could never happen to them, but when a cybercriminal can access your account, they can change the password and lock you out, as seen with this incident with DraftKings. Anytime you have social media or online accounts that access sensitive information, financial institutions, or other applications, MFA must be enabled on those accounts and use a unique password. Make sure the MFA uses a code from an application and not SMS and, if possible, a hardware token for accessing financial accounts or applications that can access your financial institution.”