The Target: DraftKings, a U.S based sports betting website.
The Take: $300,000 USD of customer funds.
The Vector: Via a credential stuffing attack, where user passwords that have been exposed elsewhere were also used as a login for DraftKings, enabled attackers to login and steal the funds.
This breach is a stark reminder of how critical authentication controls are in an overall robust cybersecurity posture. Credential stuffing attacks can be avoided by enforcing multi-factor authentication and reasonably paced password resets. It is important to employ effective strategies to mitigate these kinds of breaches to protect a firm’s customer base.