"The attackers likely accessed users' names, addresses, email addresses, phone numbers, dates of birth, profile photos, the last four digits of payment cards, transaction information, account balances, and details on when passwords were last changed. "Importantly, our investigation to date has observed no evidence that your login credentials were obtained from DraftKings or that DraftKings' computer systems or networks were breached as part of this incident," the company says."
"Sports betting firm DraftKings is notifying users of a recent credential stuffing campaign targeting their online accounts. The attacks, the company says in a notification letter to the impacted users, were discovered on September 2, and relied on credentials harvested from other sources to log into users' accounts. The company has launched an investigation into the campaign and is requiring the potentially impacted individuals to reset their account passwords. It is also requiring multifactor authentication for logins to DraftKings Horse accounts."
DraftKings discovered a credential stuffing campaign on September 2 that used credentials harvested from non-DraftKings sources to log into user accounts. The attackers may have temporarily accessed customers' accounts and likely viewed names, addresses, emails, phone numbers, dates of birth, profile photos, the last four digits of payment cards, transaction information, and account balances. The company found no evidence that credentials were obtained from DraftKings systems or that DraftKings networks were breached. No evidence indicates compromise of government ID numbers or full financial account numbers. DraftKings requires affected users to reset passwords and has mandated multifactor authentication for DraftKings Horse logins. The company has not disclosed the number of impacted users. Previous credential stuffing in 2022 affected roughly 68,000 accounts.
Read at SecurityWeek
Unable to calculate read time
Collection
[
|
...
]