It's always a good idea to routinely change your passwords, especially if you find yourself falling into the habit of using the same login password on every website you visit. Unfortunately for a number of users of the sports-betting website DraftKings, they learned this the hard way after the website suffered a Credential Stuffing account.
Credential Stuffing sees a threat actor use a list of compromised credentials, previously obtained through methods such as phishing, to try to gain access to a specific system. For example, if a user had used the same password and e-mail combination on a different website that had previously been compromised, threat actors could use this information on other websites where accounts were created under the same e-mail.
On November 21, DraftKings President Paul Liberman released a statement through the company's Twitter account, stating that "We currently believe that the login information of these customers was compromised on other websites and then used to access their DraftKings accounts where they used the sam,e login information." Liberman stressed that their servers were not the victim of any attack and that users should "use unique passwords."
"We have identified less than $300,000 of customer funds that were affected, and we intend to make whole any customer that was impacted," the statement continued.
According to InfoSecurity magazine, once inside the compromised accounts, threat actors changed the passwords before enabling multi-factor authentication on their own phones, completely locking out the actual account holders.