DraftKings Inc.

The personal data of 67,995 customers of the sports betting company DraftKings was exposed in a credential stuffing attack.

The threat actors got the customers’ account credentials including includes the name of the account holder, the user’s address, phone number, email, the last four digits of card details, profile photo, data about prior transactions, account balance, and the data of the last new password from a source outside the organization.

The accounts that got hijacked received a $5 deposit and a new password changed by the cybercriminals who then were enabling two-factor authentication (2FA) on a different phone number to be able to take as much money as possible from the victim’s linked bank account.

Stolen credentials were sold on the dark web for $10 to $35 which came with instructions about how to withdraw the money from the bank accounts linked to them.

Source: https://heimdalsecurity.com/blog/67k-customers-had-their-data-leaked-in-a-credential-stuffing-attack-over-draftkings/

"id": "DRA2114231222",
"linkid": "draftkings-inc-",
"type": "Data Leak",
"date": "11/2022",
"severity": "85",
"impact": "3",
"explanation": "Attack with significant impact with internal employee data leaks"