Sports activities betting agency DraftKings is notifying customers of a latest credential stuffing marketing campaign concentrating on their on-line accounts.
The assaults, the corporate says in a notification letter to the impacted customers, have been found on September 2, and relied on credentials harvested from different sources to log into customers’ accounts.
“By stealing login credentials from a non-DraftKings supply and utilizing them on this assault, the unhealthy actor could have quickly been capable of log into sure DraftKings clients’ account,” reads a replica of the notification letter that was submitted to the Massachusetts OCABR.
The attackers possible accessed customers’ names, addresses, electronic mail addresses, cellphone numbers, dates of beginning, profile photographs, the final 4 digits of fee playing cards, transaction info, account balances, and particulars on when passwords have been final modified.
“Importantly, our investigation up to now has noticed no proof that your login credentials have been obtained from DraftKings or that DraftKings’ laptop techniques or networks have been breached as a part of this incident,” the corporate says.
DraftKings additionally notes that it has no proof that info similar to government-issued ID numbers, monetary account numbers, or different delicate info was compromised within the assault.
The corporate has launched an investigation into the marketing campaign and is requiring the doubtless impacted people to reset their account passwords. It’s also requiring multifactor authentication for logins to DraftKings Horse accounts.
The sports activities betting agency has not disclosed the variety of impacted customers. SecurityWeek has emailed DraftKings for extra info on the marketing campaign and can replace this text if the corporate responds.Commercial. Scroll to proceed studying.
In 2022, DraftKings disclosed a credential stuffing marketing campaign that hit roughly 68,000 consumer accounts. In early 2024, Joseph Garrison was sentenced to 18 months in jail, and two different people, Nathan Austad and Kamerin Stokes, have been indicted over the assaults.
Associated: Discord Says Consumer Data Stolen in Third-Occasion Knowledge Breach
Associated: Mainline Well being, Choose Medical Every Disclose Knowledge Breaches Impacting 100,000 Individuals
Associated: Many Assaults Geared toward EU Focused OT, Says Cybersecurity Company
Associated: A Huge Telecom Risk Was Stopped Proper As World Leaders Gathered at UN Headquarters in New York
