Here is what I learned from an article on DraftKings where some users had their accounts hacked using "Credential Stuffing attacks." This is where an attacker takes username and password combos they obtained from you on other sites and tries them on DraftKings. Scary, right?
If you are like me and reuse usernames and passwords and/or logins, then this is exactly the situation that could happen.
Some information that may have been seen includes:
DraftKings also indicated that less than 30 users were affected, no funds were stolen, and their systems were not hacked.
Here's what I would recommend:
It's dangerous because:
Even the FBI has said credential stuffing is an increasing issue.
• They are now requireing customers to reset passwords and strongly encouraging multifactor authentication (MFA)
• Fewer than 30 total users were impacted and no money was lost
• You need to change your password, turn on MFA, and be alert about your accounts
If you have a DraftKings account (or any account online), this serves as a good reminder. Use unique passwords and turn on enhanced security — it can save a lot of headache.
If you are like me and reuse usernames and passwords and/or logins, then this is exactly the situation that could happen.
What Did They Find?
DraftKings identified this issue in early October. They indicated that these users were not hacked using DraftKings directly and the attackers instead used user login credentials obtained from other sites.Some information that may have been seen includes:
- Name, email, phone number, date of birth
- Last four digits of a debit/credit card
- Profile photo, account balance, transaction history
DraftKings also indicated that less than 30 users were affected, no funds were stolen, and their systems were not hacked.
What DraftKings Is Doing And What To Do
DraftKings is requiring affected customers to reset passwords. They are also recommending multi-factor authentication (MFA), which is an extra step when logging in.Here's what I would recommend:
- Change the password on your DraftKings to something strong and unique
- Enable MFA or 2FA
- Monitor your bank accounts and credit accounts for any odd behavior
- Consider setting alerts to your credit report
Why credential stuffing is dangerous
Credential stuffing is like using a bunch of stolen keys on a bunch of locks. Because many people reuse passwords, hackers get lucky.It's dangerous because:
- It's automated — hackers can try thousands of different logins very quickly
- It uses password reuse
- An attacker can see personal information that can be used for phishing or taking over an account
Even the FBI has said credential stuffing is an increasing issue.
My thoughts
I'm glad only a few accounts were affected, but this is a reminder: do not reuse passwords. I found that out the hard way once when an old account was hacked, and it created all kinds of problems elsewhere.Summary
• Several DraftKings accounts were targeted by credential stuffing attacks• They are now requireing customers to reset passwords and strongly encouraging multifactor authentication (MFA)
• Fewer than 30 total users were impacted and no money was lost
• You need to change your password, turn on MFA, and be alert about your accounts
If you have a DraftKings account (or any account online), this serves as a good reminder. Use unique passwords and turn on enhanced security — it can save a lot of headache.