DraftKings, prominent daily fantasy sports operator, confirmed Monday that many of its customer accounts were compromised by irregular activity on third-party internet sites. The online hacking activity resulted in the unauthorized withdrawal of hundreds of thousands of dollars of customer funds over a short time period. The popular sports betting operator made efforts on Tuesday to mitigate the consequences.
Hack affected $300,000:
DraftKings’ co-founder, Paul Liberman, said in a statement that the hack affected roughly $300,000 of customer funds and assured that the operator intends to “make whole any customer that was impacted.”
One of the impacted customers received an alert from DraftKings at 10:11 pm CST Sunday approving the $437 withdrawal request to send the funds to a Houston address. The customer asserted that the request must be fraudulent since he said that he doesn’t live anywhere near Houston. Another customer from Kansas City, Missouri, informed that $19,439,00 from his DraftKings account disappeared at 8:30 pm CST on Sunday night to be returned 40 minutes later.
Unidentified source:
“We currently believe that the login information of these customers was compromised on other websites and then used to access their DraftKings accounts where they used the same login information,” said Liberman.
The company believes that its systems were not compromised and maintains that hackers accessed only about $300,000 of customer funds. “We have seen no evidence that DraftKings’ systems were breached to obtain this information,” assured DraftKings’ co-founder.
The source of the account fraudulent activity has not been identified. According to cybercrime experts, cybercriminals might have used the “credential stuffing” technique, which occurs when the same personal passwords are used in multiple internet locations. When cybercriminals obtain the compromised credentials, they will test them on new web-sites.
Credential stuffing prevention:
Liberman continued: “We strongly encourage customers to use unique passwords for DraftKings and all other sites, and we strongly recommend that customers do not share their passwords with anyone, including third party sites for the purposes of tracking betting information on DraftKings and other betting apps.”
Even if DraftKings’ systems were not breached, as the company claims, large cybersecurity cases like this can take months to resolve. On the other hand, the sports betting customers have shown in similar cases that they may lose patience when the desired outcome is not achieved quickly. Therefore Liberman confirmed: ”DraftKings intends to reimburse all customers in full for any lost funds.”
Stock plunge:
On Tuesday morning, there were reports of reimbursements made for some customers with additional users’ accounts still being compromised. As a result, DraftKings stock initially plunged 10% on the news in Monday’s session to close on Monday at $14.29 a share. As of Tuesday afternoon, DraftKings traded around $14.60 a share, up more than 2.25% on the Monday session.