US betting giant DraftKings has seen its stock price fall 10% on the emergence of news that customer bank accounts tied to their accounts with the sportsbook have been targeted in a hack. The hack was relatively narrow in scale, seemingly harvesting less then $300,000 in customer funds, but has been enough to shake the company and create some bad publicity in a week where it became one of seven sportsbooks to go live in Maryland.
The hack is thought to have involved hundreds of dollars at a time being siphoned from the accounts of DraftKings customers, with the contact details of affected bettors also being changed on their accounts. This has resulted in victims of the hack being unable to access their accounts using two-factor authentication, as their phone numbers no longer match what is on their accounts.
DraftKings’ President of Global Tech and Product, Paul Libermann, was quick to promise that any customers who had lost funds as a result of the hack would be “made whole” by the company. As well as confirming the amount of funds that had been affected by the hack, he pleaded with customers to ensure that they are using unique login information for their betting accounts, and revealed that – as far as he was aware – the hack had not been performed on DraftKings servers.
According to Libermann, the working theory at present is that access was gained to the customers’ login details for other sites, and hackers then used that information to attempt access to DraftKings accounts. In cases where customers have used the same login information for multiple sites, this meant that access was easily gained to customers’ accounts, wherein the hackers could change identifying information, and access the bank account details held by DraftKings; they could then siphon the money out into other accounts.
The sportsbook has experienced an impact on its market price as a result of the negative publicity generated by the attack; the transparency of Libermann’s statement may well serve to limit that negative impact by illustrating DraftKings’ relative lack of culpability and speed of action. But the attack is certainly not ideal news for DraftKings in a month where it was revealed they had seen Q3 growth of 135.8% this year.
The relatively unsophisticated nature of the attack does drive home the importance of using unique login information for all sites where it is possible to access users’ funds. It is undoubtedly common for those people who have multiple betting accounts to use the same login information on each for the sake of speed and convenience, but it would certainly be a better idea for any customer to use passwords which are suggested, and then saved, by their browser so that the same convenience can be achieved without handing an advantage to hackers. This is a message that will likely be amplified and re-amplified by DraftKings as it seeks to make amends for the damage done by this attack.