1. #1
    infotimbo
    infotimbo's Avatar Become A Pro!
    Join Date: 10-24-18
    Posts: 569
    Betpoints: 7408

    Reports of numerous DraftKings accounts getting compromised

    According to reports on Twitter and Reddit, there has been a widespread attack on DraftKings accounts (but others, including FanDuel affected as well) over the weekend, leading to people getting locked out of their accounts and available balances getting withdrawn (or at least attempts to).

    https://www.reddit.com/r/sportsbook/...es_megathread/

    DraftKings has confirmed that it happened, but says the data breach was not on their side:

    https://twitter.com/DraftKingsNews/s...67664832040965

    So far the exact origin seems to be unknown indeed, but by the look of it, somehow people got access to loads of login credentials.

    So I guess especially everyone using the same login/password on various sites should be careful now, change them, and enable 2FA, if possible.

  2. #2
    jjgold
    jjgold's Avatar SBR PRO
    Join Date: 07-20-05
    Posts: 394,888

    Scary stuff

    inside jobs for sure

  3. #3
    pologq
    Make SBR Great Again in 2023
    pologq's Avatar SBR PRO
    Join Date: 10-07-12
    Posts: 19,444
    Betpoints: 5163

    very scary

    draft kings has a buggy app and now the security sucks donkey nuts

    fanduel i am a little more surprised

  4. #4
    Optional
    Optional's Avatar Moderator
    Join Date: 06-10-10
    Posts: 54,395
    Betpoints: 5894

    Sounds like it might be through some sort of bet tracking site where you give them your login??



  5. #5
    infotimbo
    infotimbo's Avatar Become A Pro!
    Join Date: 10-24-18
    Posts: 569
    Betpoints: 7408

    no idea, maybe. Could basically be every site, I guess (although likely US based), as most users use the same login credentials for all accounts anyway. The "hackers" just need to find one site without a proper device/ip based security system then, and it sounds like DraftKings was an easy target in that regard.

  6. #6
    infotimbo
    infotimbo's Avatar Become A Pro!
    Join Date: 10-24-18
    Posts: 569
    Betpoints: 7408

    some of the people commenting on Reddit say that they used unique passwords, no additional tools, and still were affected. So, if true, the breach must have happened at DraftKings themselves.

  7. #7
    Optional
    Optional's Avatar Moderator
    Join Date: 06-10-10
    Posts: 54,395
    Betpoints: 5894

    Quote Originally Posted by infotimbo View Post
    some of the people commenting on Reddit say that they used unique passwords, no additional tools, and still were affected. So, if true, the breach must have happened at DraftKings themselves.
    I dont agree it must be at draftkings end.

    Draftkings allude to it being a third party site where people enter their DK login/passwords.

    "do not share your login info with third party sites for the purpose of tracking betting info".


    And so far that explanation matches the reported experiences people are describing.

    Not a big surprise a chunk of Reddit users would all get caught up doing that. Advice on SBR would have been to avoid that for sure.

  8. #8
    OldBill
    OldBill's Avatar Become A Pro!
    Join Date: 11-02-21
    Posts: 3,491
    Betpoints: 4034

    i have double safety logins on all accounts no body can get in unless they have my phone that gets a 6 digit pass code only good for 10 minutes and if not in my state they are dead to because of geolocation impossible to play in my account even i told them pass code and everything else because they know if your using VPN to block your IP address

  9. #9
    infotimbo
    infotimbo's Avatar Become A Pro!
    Join Date: 10-24-18
    Posts: 569
    Betpoints: 7408

    Quote Originally Posted by Optional View Post
    I dont agree it must be at draftkings end.
    I was just referring to the Reddit posts there. For example:

    - "Mine was hacked Sunday between the noon and 3PM NFL games. Had a unique password for DK. [...] DK's statement implies this hack comes as a result of bettors using other sites to track their winnings (Action Network, etc.) but I have never done so."

    Some also they that the hackers got around the 2FA (which afaik requires a phone verification):

    - "Couldn’t tell you how they did it but I had 2FA set to my phone number."
    - "They got me, bypassed 2FA, cleaned out my account, and changed my phone number."


    Obivously, I don't know how reliable those users are either. But going by the number of poeple posting stuff like that, I don't think DK's statement matches the reported experiences at all.

  10. #10
    Optional
    Optional's Avatar Moderator
    Join Date: 06-10-10
    Posts: 54,395
    Betpoints: 5894

    I am skeptical by default when an issue comes up for reddit users that we are not seeing reported at many other places. I think users there often lie to be part of the drama as well.

  11. #11
    PD77
    Bitches!
    PD77's Avatar SBR PRO
    Join Date: 12-11-09
    Posts: 2,310
    Betpoints: 590

    I registered an account at draft kings when I was in Tennessee earlier this year, was not able to fund it due to my debit card but I did receive the email from Draft Kings at 3 AM this morning. Couple of questions, do they only offer sms for 2FA? If so, that’s not good at all, they should at least offer Google Authenticator in addition to sms. Second question, how are these “hackers” withdrawing customer funds and doing it so quickly? I just assumed there would be steps in place to verify a new withdrawal option not previously used. Thanks!

  12. #12
    infotimbo
    infotimbo's Avatar Become A Pro!
    Join Date: 10-24-18
    Posts: 569
    Betpoints: 7408

    Quote Originally Posted by PD77 View Post
    how are these “hackers” withdrawing customer funds and doing it so quickly? I just assumed there would be steps in place to verify a new withdrawal option not previously used
    my understanding was that they deposited $5 with a new card and then were able to use it to withdraw the remaining balance.

  13. #13
    bleedblue
    bleedblue's Avatar Become A Pro!
    Join Date: 07-22-08
    Posts: 306
    Betpoints: 3287

    Quote Originally Posted by Optional View Post
    I am skeptical by default when an issue comes up for reddit users that we are not seeing reported at many other places. I think users there often lie to be part of the drama as well.
    I would agree but I know first hand if someone who uses a password manager and doesn’t use bet tracking software…

    It has lead me to believe inside job as JJ said. DK might not be able to pinpoint who/where it came from, so of course they are pointing the finger elsewhere.

    I’m not an IT guy but if someone using a random zG17GJ!$7xPgT type password got hacked too, how does Draftkings’ story add up?

  14. #14
    2Sweeet
    2Sweeet's Avatar SBR PRO
    Join Date: 09-01-22
    Posts: 140
    Betpoints: 1448

    It has nothing to with any of that Global Payments is the loop hole.

  15. #15
    OldBill
    OldBill's Avatar Become A Pro!
    Join Date: 11-02-21
    Posts: 3,491
    Betpoints: 4034

    lol just joined draft kings but i have double secret login get code on phone and no mfw would i use any 3 rd party to use to login my accoount but how da fawwwk they goona with draw my funds without my bank account info

    and i do not save my card at draft kings i always type in all digits exp date and cvv

  16. #16
    OldBill
    OldBill's Avatar Become A Pro!
    Join Date: 11-02-21
    Posts: 3,491
    Betpoints: 4034

    Quote Originally Posted by OldBill View Post
    lol just joined draft kings but i have double secret login get code on phone and no mfw would i use any 3 rd party to use to login my accoount but how da fawwwk they goona with draw my funds without my bank account info

    and i do not save my card at draft kings i always type in all digits exp date and cvv

    oooo btw use pay pal no body can get your money becuse they do not know your pay pal password

  17. #17
    PD77
    Bitches!
    PD77's Avatar SBR PRO
    Join Date: 12-11-09
    Posts: 2,310
    Betpoints: 590

    Quote Originally Posted by OldBill View Post
    oooo btw use pay pal no body can get your money becuse they do not know your pay pal password
    That’s just it, they were able to change your very insecure sms 2FA phone number, register their own debit card , make a $5 deposit and withdraw your balance to their debit card. And all this time I assumed stateside books had better account security than offshore. This is bush league right here.
    im thinking there was a leak of usernames/passwords by DraftKings and then a very organized group found a very clever way of draining all of these accounts overnight, no doubt they worked as a team.
    I will say at least draftkings is reimbursing the accounts and there is actual legal recourse as opposed to offshore. Still amateur hour by draftkings.

Top