Sports betting site DraftKings has promised to reimburse an undisclosed number of customers after they lost $300,000 through a suspected credential stuffing campaign.
A statement from the firm’s co-founder, Paul Liberman, late yesterday noted that some customers had experienced “irregular activity” with their accounts.
“We currently believe that the login information of these customers was compromised on other websites and then used to access their DraftKings accounts where they used the same login information,” it continued.
“We have seen no evidence to suggest that DraftKings’ systems were breached to obtain this information.”
That would seem to indicate classic credential stuffing attacks, where threat actors buy up username/password combos from underground breach sites, feed them into automated tools and try them en masse across the internet, to see where they’ve been reused by individuals.
