One day after reports surfaced that DraftKings customers lost thousands of dollars in an apparent third-party breach over the weekend, the prominent sports betting operator made efforts Tuesday to contain the fallout.
DraftKings confirmed Monday that numerous bettors had aspects of their customer accounts compromised by irregular activity on third-party sites on the internet. The online hacks led to the unauthorized withdrawal of thousands of dollars in customer funds over a short period.
While DraftKings believes that hackers gained access to some customers’ log-in information, the company maintains that only about $300,000 of customer funds were affected. Moreover, DraftKings has seen no evidence that the company’s systems were breached to obtain the information, said Paul Liberman, who serves as president for global technology and product at DraftKings.
DraftKings says no evidence systems were breached following report of a hack https://t.co/WPiAlC36cQ
— CNBC (@CNBC) November 21, 2022
As of noon Tuesday, some DraftKings customers had the stolen amounts returned in full, while others reported new incidents of purported fraudulent activity. A DraftKings spokesman did not officially comment Tuesday on the pattern of activity, instead referring Sports Handle to a statement issued Monday by Liberman:
“DraftKings is aware that some customers are experiencing irregular activity with their accounts. We currently believe that the login information of these customers was compromised on other websites and then used to access their DraftKings accounts where they used the same login information,” Liberman said.
News of the unauthorized activity was first reported Monday by The Action Network.
Anecdotal evidence of continued hacks
Even if DraftKings’ network was not breached, as the company maintains, large-scale cases involving cybersecurity disruptions can take months to resolve. Target, one of the nation’s largest department store chains, suffered a highly publicized data breach in December 2013 that affected about 41 million payment card accounts. More than three years elapsed before Target reached an $18.5 million multi-state settlement with customers in May 2017.
As with many issues in the sports betting ecosystem, customers have a tendency to lose patience when the desired outcome is not achieved quickly. Scores of DraftKings customers have taken to Twitter to express concern at the busiest time of the year for the global sports calendar. The U.S. men’s national soccer team opened the 2022 FIFA World Cup on Monday with a 1-all tie against Wales, while three games are on the NFL’s Thanksgiving Day schedule. DraftKings intends to reimburse all customers in full for any lost funds, Liberman said.
.@DraftKings @DKSportsbook why was a fraudulent withdrawal from my account successfully processed when I informed you multiple times within hours of the request that this withdrawal was not me. You have some serious questions to answer.
— NBA Polls (@LeadingNBAPolls) November 20, 2022
One customer received an alert from DraftKings at 10:11 pm CST Sunday informing them of a withdrawal request. The customer, according to a screenshot posted on Twitter, made an apparent request for a check of $437 to be sent to an apartment in a North Houston suburb. The request must be fraudulent, the customer asserted, since he said that he lives nowhere near Houston.
Another customer located outside Kansas City, Missouri, claimed that a five-figure amount disappeared from his account during Sunday night’s AFC West matchup between the Kansas City Chiefs and Los Angeles Chargers. The customer told Yahoo Finance that nearly all of the funds from his $19,439.00 account had been withdrawn around 8:30 pm CST, an amount that was returned roughly 40 minutes later.
On Tuesday morning, reports began to circulate of reimbursements trickling in for some customers. One customer who initially complained on Twitter of having his account hacked wrote that he recovered by Monday night all of the $5,000 that was fraudulently withdrawn. The user urged others to “flood DraftKings with emails” until their issues were resolved. Another customer who had approximately $3,000 taken from his account on Sunday told Sports Handle that he received the entire amount back by Tuesday before noon.
Still, others apparently had their accounts compromised as recently as Tuesday morning. One DraftKings customer told Sports Handle that he received a fraud notice from his bank at approximately 8 a.m. Tuesday. The bettor promptly drove to a local bank to file a fraud claim after a sum of $1,000 disappeared from his account.
“Not how I wanted to see my Tuesday start, for sure,” he told Sports Handle while speaking on condition of anonymity. “I would love to see this get as much attention as possible.”
While the primary source of the account disturbances has not been determined, there are some signals that online cybercriminals may have engaged in a hacking technique known as “credential stuffing.” According to cybercrime experts, credential stuffing occurs when a person’s password is used in multiple locations. From there, cybercriminals obtain the compromised credentials and then test them on a new site.
“We strongly encourage customers to use unique passwords for DraftKings and all other sites, and we strongly recommend that customers do not share their passwords with anyone, including third party sites for the purposes of tracking betting information on DraftKings and other betting apps,” Liberman added.
Some states have begun to implement regulations that require customers to establish multi-factor authentication for logging on to a sportsbook app. In New Jersey this year, sportsbooks were required to implement a two-factor authentication (2FA) solution by June 30. Outside of the Garden State, a Midwestern customer of DraftKings who is an ardent soccer bettor told Sports Handle on Tuesday that he didn’t have any funds stolen because he maintains 2FA for all of his accounts, along with complex passwords.
DraftKings users saying accounts are hacked & stealing large sums from bank accounts. Many claim 2FA enabled so while it's possible this hack was cred stuffing + 2FA code stealing or SIM swap, could also mean DraftKings themselves are dealing w/ compromise.https://t.co/WabfEmcJbb
— Rachel Tobac (@RachelTobac) November 21, 2022
Although DraftKings has not provided an update on the percentage of affected customers who have been reimbursed, the company may have a further update later Tuesday. At the same time, the company has not provided a timetable for when it intends to reimburse all affected customers in full.
Beyond DraftKings, the unscrupulous activity could leave other top operators on edge. A FanDuel representative told CNBC Monday that the company has detected an uptick in recent hacking activity, all of which has been unsuccessful. The disruptions also come at a time when investors, in the wake of the FTX bankruptcy, remain skeptical on the reliability of security measures designed to keep customer funds safe.
Thousands of new sports bettors are expected to open accounts in Maryland this week ahead of Wednesday’s launch of online sports wagering across the state.
Jordan Bender, an analyst from JMP Securities, wrote in a research note that several companies in the gaming and leisure space have been able to recover after experiencing a data breach. Bender points to incidents affecting MGM Resorts and Marriott as examples where a company’s stock price can bounce back following a cyber disruption.
“Assuming this hack does not turn into anything major, history has proven that past hacks of credit cards and personal information in the gaming/leisure space have not materially impacted long-term revenue,” Bender note.
DraftKings stock initially plunged 10% on the news in Monday’s session, before paring some of the losses following Liberman’s statement. DraftKings closed on Monday at $14.29, up from session lows of $13.37 a share.
As of Tuesday afternoon, DraftKings traded around $14.60 a share, up more than 2.25% on the session.