Online gambling platform DraftKings has been hit by a credential stuffing attack in which attackers managed to break into users’ accounts and steal some $300,000. Credential stuffing uses previously leaked email addresses and passwords to gain automated account access. Attackers check whether they can also log in to website B with credentials stolen from website A. The attack is only possible when users reuse their passwords and companies allow such automated attacks.
In a statement posted on Twitter, DraftKings reports that attackers gained access to users’ accounts using credentials stolen from other websites. Subsequently, the money that these users had in their account was stolen. The damage is about $300,000. DraftKings says it will indemnify affected users. Furthermore, users are advised to use unique passwords for their DrafKings account and other websites and not to share their password with anyone.
DraftKings claims to have two million unique paying users per month. The company had revenues of $1.3 billion last year. For this year, the gambling platform expects a turnover of $ 2.1 billion.