DraftKings revealed this week that nearly 68,000 of its users fell victim to a sweep of cyberattacks that hit sportsbooks in November, resulting in nearly $300,000 in lost funds from the hacks.
In a Dec. 16 filing in Maine, DraftKings lawyers notified the Attorney General of “credential-stuffing” cyberattacks, where hackers use stolen passwords from other websites to gain access to a third-party system. Their success relies on users often recycling passwords across different websites, according to the Open Web Application Security Project.
The filing builds on reports that DraftKings, among other sportsbooks, fell victim to cyber attacks targeted around the World Cup, which the sportsbook originally dismissed.
“Based on our investigation to date, we believe that attackers may have previously gained access to your username or email address and password form a non-DraftKings source and then used those credentials to access your DraftKings account,” DraftKings said in its notice to affected users.
DraftKings said it restored funds missing funds, which were first identified Nov. 18, and plans to work with law enforcement to get more information on the hacks.
Personal information breached
The filing indicates hackers may have gained access to:
- names
- addresses
- phone numbers
- emails
- profile picture
- last four digits of payment card on file
- account balances
- date of last password change
- information about prior transactions
The notice says 125 Maine users were impacted, and 67, 995 in other states. DraftKings did not indicate which states. Maine has yet to launch sports betting, which it legalized last year, though it does allow daily fantasy sports.
“In compliance with applicable state laws, DraftKings provided formal notice of the credential stuffing attacks to certain customers in jurisdictions where required to do so,” reads an official DraftKings statement obtained by Legal Sports Report.
DraftKings the only app hacked in Connecticut
Thirty-two of the hacked DraftKings accounts had Connecticut addresses, totaling $18,758 in fraudulent withdrawals, Kaitlyn Krasselt, a spokesperson for the Connecticut Department of Consumer Protection told Legal Sports Report.
FanDuel Sportsbook and SugarHouse Sportsbook, Connecticut’s only other online operators reported no hacks to state-based users, she added.
Five customers reached out to the New York State Gaming Commission about the hacks, its Communications Director, Brad Maione told Legal Sports Report, though he did not disclose how many users had been impacted.
Social Security safe from DraftKings hacks
The sportsbook assured customers, however, that an internal investigation found no evidence of any Social Security number, driver’s license number or financial account number breach.
“While bad actors may have viewed the last four digits of your payment card, your full payment card number, expiration date, and your CVV are not stored in your account,” DraftKings said. “Therefore, the bad actors were not able to view this information.”
DraftKings recommended users change passwords, review their accounts and or place a security freeze on their credit reports.