Accounts on the popular app DraftKings, used by sports enthusiasts to play fantasy sports, were breached by an unknown attacker in order to perpetrate digital theft. The attack managed to gain access to accounts and drain funds that were stored in the account. On top of stealing stored funds, the threat actor was also able to use the linked credit card or bank account on file to add more funds to the account and then withdraw them into their own account almost instantly. According to DraftKings, no breach of the app itself occurred; it is believed that the attacker managed to steal login credentials from other websites, and prey on those who reused their passwords. When some users went to change their passwords to stop the attack, they had found that the attacker changed the phone number on file, used to reset passwords, preventing targeted users from stopping the attacks.
DraftKings said that almost 300 thousand dollars was stolen from user accounts. According to some of the victims, when they took to Twitter to get help from DraftKings, there were many twitter accounts commenting aabout getting free money using various techniques, but none of them could be identified as the actual attacker. Attacks like these highlight the reasons why it is important to not reuse passwords, especially on websites that credit card information is being stored on.