Sports betting company DraftKings revealed last week that more than 67,000 customers had their personal information exposed following a credential attack in November.
In credential stuffing attacks, automated tools are used to make a massive number of attempts (up to millions at a time) to sign into accounts using credentials (user/password pairs) stolen from other online services.
This tactic works exceptionally well against user accounts whose owners have reused the same login information across multiple platforms.
The attackers aim to take over as many accounts as possible to steal personal and financial info, which gets sold on hacking forums or the dark web. However, the stolen information may also be used in identity theft scams to make unauthorized purchases or empty banking accounts linked to compromised accounts.
The company said the attackers obtained the credentials needed to log into the customers’ accounts from a non-DraftKings source.
