Sports betting company DraftKings said it would pay out all funds to customers affected by a credential spoofing attack that resulted in losses of up to $300,000. The announcement follows a Monday tweet that DraftKings was investigating reports [1, 2, 3, 4] from customers having account issues.
All the hacked accounts had one thing in common - an initial deposit of $5, after which the attackers change the password, link two-factor authentication to a different phone number, and then withdraw as much funds as possible from the linked bank accounts of the victims. Some victims were very saddened by the support work of DraftKings - they could not contact anyone from the company, watching the attackers drain money from all their accounts.
According to Paul Lieberman, president and co-founder of DraftKings, the company's specialists have not been able to find any evidence of a compromise in their systems. He believes that customer data has been compromised on other sites. In addition, DraftKings will refund the money to all those affected. The total amount of refunds will not exceed $300,000.
The company advised customers never to use the same password for more than one online service and not to share their credentials with third party platforms. For those customers who have not yet been affected by a cyber attack with data substitution, it is recommended to immediately enable 2FA on their accounts and unlink their bank accounts from the application so that attackers cannot withdraw funds from them.