Reports of numerous DraftKings accounts getting compromised

**jjgold** · 11-22-22, 12:01 PM

Scary stuff

inside jobs for sure

**pologq** · 11-22-22, 12:19 PM

very scary

draft kings has a buggy app and now the security sucks donkey nuts

fanduel i am a little more surprised

**Optional** · 11-22-22, 03:01 PM

Sounds like it might be through some sort of bet tracking site where you give them your login??

**infotimbo** · 11-22-22, 03:40 PM

no idea, maybe. Could basically be every site, I guess (although likely US based), as most users use the same login credentials for all accounts anyway. The "hackers" just need to find one site without a proper device/ip based security system then, and it sounds like DraftKings was an easy target in that regard.

**infotimbo** · 11-23-22, 04:11 AM

some of the people commenting on Reddit say that they used unique passwords, no additional tools, and still were affected. So, if true, the breach must have happened at DraftKings themselves.

**Optional** · 11-23-22, 02:06 PM

Originally posted by infotimbo

some of the people commenting on Reddit say that they used unique passwords, no additional tools, and still were affected. So, if true, the breach must have happened at DraftKings themselves.

I dont agree it must be at draftkings end.

Draftkings allude to it being a third party site where people enter their DK login/passwords.

"do not share your login info with third party sites for the purpose of tracking betting info".

And so far that explanation matches the reported experiences people are describing.

Not a big surprise a chunk of Reddit users would all get caught up doing that. Advice on SBR would have been to avoid that for sure.

**OldBill** · 11-23-22, 02:17 PM

i have double safety logins on all accounts no body can get in unless they have my phone that gets a 6 digit pass code only good for 10 minutes and if not in my state they are dead to because of geolocation impossible to play in my account even i told them pass code and everything else because they know if your using VPN to block your IP address

**infotimbo** · 11-23-22, 02:56 PM

Originally posted by Optional

I dont agree it must be at draftkings end.

I was just referring to the Reddit posts there. For example:

- "Mine was hacked Sunday between the noon and 3PM NFL games. Had a unique password for DK. [...] DK's statement implies this hack comes as a result of bettors using other sites to track their winnings (Action Network, etc.) but I have never done so."

Some also they that the hackers got around the 2FA (which afaik requires a phone verification):

- "Couldn’t tell you how they did it but I had 2FA set to my phone number."
- "They got me, bypassed 2FA, cleaned out my account, and changed my phone number."

Obivously, I don't know how reliable those users are either. But going by the number of poeple posting stuff like that, I don't think DK's statement matches the reported experiences at all.

**Optional** · 11-23-22, 03:04 PM

I am skeptical by default when an issue comes up for reddit users that we are not seeing reported at many other places. I think users there often lie to be part of the drama as well.

**PD77** · 11-24-22, 09:28 AM

I registered an account at draft kings when I was in Tennessee earlier this year, was not able to fund it due to my debit card but I did receive the email from Draft Kings at 3 AM this morning. Couple of questions, do they only offer sms for 2FA? If so, that’s not good at all, they should at least offer Google Authenticator in addition to sms. Second question, how are these “hackers” withdrawing customer funds and doing it so quickly? I just assumed there would be steps in place to verify a new withdrawal option not previously used. Thanks!

**infotimbo** · 11-24-22, 10:45 AM

Originally posted by PD77

how are these “hackers” withdrawing customer funds and doing it so quickly? I just assumed there would be steps in place to verify a new withdrawal option not previously used

my understanding was that they deposited $5 with a new card and then were able to use it to withdraw the remaining balance.

**bleedblue** · 11-24-22, 04:42 PM

Originally posted by Optional

I am skeptical by default when an issue comes up for reddit users that we are not seeing reported at many other places. I think users there often lie to be part of the drama as well.

I would agree but I know first hand if someone who uses a password manager and doesn’t use bet tracking software…

It has lead me to believe inside job as JJ said. DK might not be able to pinpoint who/where it came from, so of course they are pointing the finger elsewhere.

I’m not an IT guy but if someone using a random zG17GJ!$7xPgT type password got hacked too, how does Draftkings’ story add up?

**2Sweeet** · 12-01-22, 12:38 AM

It has nothing to with any of that Global Payments is the loop hole.

**OldBill** · 12-01-22, 12:45 AM

lol just joined draft kings but i have double secret login get code on phone and no mfw would i use any 3 rd party to use to login my accoount but how da fawwwk they goona with draw my funds without my bank account info

and i do not save my card at draft kings i always type in all digits exp date and cvv

**OldBill** · 12-01-22, 12:46 AM

Originally posted by OldBill

lol just joined draft kings but i have double secret login get code on phone and no mfw would i use any 3 rd party to use to login my accoount but how da fawwwk they goona with draw my funds without my bank account info

and i do not save my card at draft kings i always type in all digits exp date and cvv

oooo btw use pay pal no body can get your money becuse they do not know your pay pal password

**PD77** · 12-01-22, 08:09 AM

Originally posted by OldBill

oooo btw use pay pal no body can get your money becuse they do not know your pay pal password

That’s just it, they were able to change your very insecure sms 2FA phone number, register their own debit card , make a $5 deposit and withdraw your balance to their debit card. And all this time I assumed stateside books had better account security than offshore. This is bush league right here.
im thinking there was a leak of usernames/passwords by DraftKings and then a very organized group found a very clever way of draining all of these accounts overnight, no doubt they worked as a team.
I will say at least draftkings is reimbursing the accounts and there is actual legal recourse as opposed to offshore. Still amateur hour by draftkings.

Reports of numerous DraftKings accounts getting compromised

Reports of numerous DraftKings accounts getting compromised

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment