Nasdaq-listed sports betting company DraftKings Inc. has revealed that nearly 68,000 customers had their personal information exposed in a credential-stuffing attack in November.

A credential-stuffing attack is a type of cyberattack where an attacker uses stolen account credentials from other hacks to gain access to a third-party system. The attack method relies on the unfortunate fact that many users use the same password for multiple sites.

The attack on DraftKings did gain headlines when it occurred, with the company saying at the time that there was no evidence that its systems were breached after reports suggested it had been hacked. The company also said it had identified less than $300,000 of customer funds that had been affected by “unusual activity” and would compensate customers affected.

Exactly how many customers were affected has now been revealed in a Dec. 16 data breach notification filed by DraftKings with the Maine Attorney General’s Office that was first spotted by Bleeping Computer. In the letter, DraftKings says it detected the credential-stuffing attack on Nov. 18, launched an investigation and took several steps, including requiring affected customers to reset their DraftKings passwords and implement additional fraud alerts.

The investigation found that though there was no evidence that login credentials were obtained from DraftKings, the bad actors were able to log into certain accounts. In the event an account was accessed, the attacker could have viewed the account holder’s name, address, phone number, email address, profile photo, information about prior transactions and the last four digits of payment cards. No evidence was found that the attackers accessed Social Security, driver’s licenses or financial account numbers.

Affected users are recommended to change account passwords if they have not done so already, not only on DraftKings but on other sites as well. Users are also advised to review accounts and credit reports and consider placing a security freeze on their credit reports.

Given that credential-stuffing was used, DraftKings is not offering free credit monitoring to users. Though unfortunate, the case highlights the risk of reusing passwords across multiple sites. However, there are ways companies can reduce the risk of credential-stuffing attacks.

“As one of the major players in the sports betting industry and a host to the personally identifiable information of around 1.6 million monthly unique paying customers, it is, unfortunately, no surprise that hackers have leveraged DraftKings’ wealth of sensitive information to generate identity theft and financial scams,” Ryan Sherstobitoff, senior vice president of Threat Research and Intelligence at security rating company SecurityScorecard Inc., told SiliconANGLE. “In SecurityScorecard’s cybersecurity rating system, DraftKings is rated a C, with lower grades having a higher likelihood of a breach.”

Sherstobitoff emphasized that organizations, especially those that handle large amounts of sensitive information, must have up-to-date cybersecurity procedures that everyone follows.

“Additionally, it is crucial for companies to evaluate their cybersecurity strategy, have a complete picture of their attack surface, seek ways to gain visibility into vulnerabilities and continuously monitor third-party cybersecurity posture in order to reduce the likelihood of attacks,” Sherstobitoff said.

Image: DraftKings