After multiple claims by frustrated users, sports betting company DraftKings denied that reports of stolen customer funds were due to a breach of its systems. Though hundreds of thousands of dollars were stolen, the company said, there was no breach on the company’s side that led to that theft.
The number of affected users is unknown, but DraftKings said that less than $300,000 was stolen overall. The users noticed that their DraftKings account was used to withdraw funds from their bank accounts while they were locked out of their accounts themselves.
Loss
DratKings users who had linked their bank accounts to their DraftKings accounts reportedly experienced withdrawal requests from those bank accounts for thousands of dollars. DraftKings promised to reimburse the impacted customers. Shares of DraftKings fell more than 8 percent on Monday November 23, 2022.
Affected customers were asked to contact the Customer Experience Team at support@draftkings.com.
Credential stuffing
Customers found themselves locked out of their DraftKings account, most likely because someone either changed their password or the telephone number associated with the 2FA factor of the account, or both.
Denying that there was any breach of the DraftKings systems, DraftKings CX Team tweeted a statement which says they believe that the login information of the affected customers was compromised on other websites and then used to login to access the DraftKings account.
This would mean that the threat actor had used an attack we call credential stuffing. Credential stuffing is a popular tactic of attempting to access online accounts using username-password combinations acquired from data that was breached from a separate attack or mishap. Because people frequently reuse passwords across many accounts, the leak of one username and password combo could unlock other, separate accounts that used the same credentials. These attacks are usually done by using an automated tool that tries a lot of combinations and alerts the threat actor about the ones that were successful.
DraftKings’ statement was however rebuffed by customers saying they used a unique password for DraftKings. If both parties are right then this might have been a brute-force attack, which simply tries as many combinations as it takes to compromise an account. Given the number of affected accounts, however, this is unlikely.
How the threat actor managed to login without having the 2FA device in the first place is a good question. Although there have been stories of hackers paying a company to reroute text messages. Since DraftKings 2FA depends on SMS, this is a possibility.
Mitigation
Our standard advice for users would normally be to use unique passwords and enable 2FA, especially for an account that has the power to make withdrawals from your bank account. But since in this case it apparently was possible for the threat actor to change the 2FA device, that wouldn’t have helped much.
Let’s look at what DraftKings could have done to prevent this type of attack.
- A Web Application Firewall (WAF) could have detected abnormal traffic caused by botnets. Even though most credentials stuffers are smart enough to rotate their IP address, an advanced WAF can detect suspicious login attempts, especially when a lot of them happen at the same time.
- For most usernames there is more than one breached password available. A service provider can limit the number of failed authentication requests and alert the user about suspicious activity on his account. Financial institutions will typically allow three to five failed login requests before they freeze an account.
- Service providers can also invest in software that refuses to accept compromised credentials that are available to threat actors, for example, on the dark web.
- SMS is not the optimal solution for 2FA. Maybe a company that handles large amounts of other people’s money could invest in something more sophisticated like passkeys.