Company plans to reimburse customers
A number of DraftKings customers found out this weekend that their sportsbooks accounts were hacked and just that, but money was drained either from those accounts or the bank accounts connected to them. On Monday, the company said that customers lost about $300,000 in total, but DraftKings intends to make everybody whole.
DraftKings president and co-founder Paul Liberman posted a statement on Twitter, saying that his team has not seen any evidence that DraftKings systems were infiltrated. He believes that the thief (or thieves) found customers’ information on other sites and used that to log in to their DraftKings accounts.
“We strongly encourage customers to use unique passwords for DraftKings and all other sites,” Liberman wrote, “and we strongly recommend that customers do not share their passwords with anyone, including third party sites for the purposes of tracking betting information on DraftKings and other betting apps.”
As an account holder on a variety of gambling sites myself over the years, I would also recommend using different usernames for each account. I know that in poker especially, people often like to have the same screenname so that people know who they are at the tables, but the risk there is someone seeing your screenname and then using that to try to login to your account on a different site.
Now, some sites have usernames that are different than screennames, which helps. And some require you to login with your e-mail address and not your screenname, which is also good, provided nobody else can track down your e-mail address. But regardless, using different screennames/usernames on different sites is almost as important as using different passwords.
Blocked at every turn
As mentioned, customers began noticing problems with their accounts over the weekend. Justin White told Action Network that his wife, Lisa, saw that there were five consecutive $500 withdrawals to DraftKings, which she naturally felt was unusual. Justin said that the hacker had gained access to his bank card (likely because it was a saved deposit method) and started transferring the money.
He tried to login to his DraftKings account, but the thief had already changed the password. When he tried to get a password recovery sent to his phone, he realized the hacker had changed the number, too.
To make matters worse, Justin couldn’t find a customer service phone number or live chat on DraftKings’ website. When he went to DraftKings’ customer service page on Twitter, he saw a message from the hacker, gloating. And on top of all that, the thief flooded his e-mail inbox with hundreds of spam message to make it harder to notice the transaction e-mails.
Alvin Byers got a message that he had made a $5 deposit into his DraftKings account on Sunday night. It was clearly a test deposit by the fraudster, who immediately thereafter took all of Byers’ money.
Byers tried to login to his account using his e-mail address, password, and two-factor authentication, but the code DraftKings sent for the 2FA was sent to a cell phone number that was not his.
“So while my password wasn’t changed, my phone number was.”