Executive Summary
In November 2022, DraftKings, a prominent fantasy sports and betting platform, experienced a credential stuffing attack that compromised approximately 60,000 user accounts. The attackers, led by Nathan Austad, known online as "Snoopy," exploited reused login credentials to gain unauthorized access. In about 1,600 cases, they added new payment methods to the compromised accounts and withdrew funds, resulting in approximately $600,000 in losses. The remaining compromised accounts were sold on cybercriminal marketplaces. Austad was sentenced to 18 months in federal prison, ordered to serve three years of supervised release, pay over $1.3 million in restitution, and forfeit an additional $463,000.
This incident underscores the persistent threat of credential stuffing attacks, particularly in the online betting industry, where user accounts often contain sensitive financial information. It highlights the critical need for robust password policies, multi-factor authentication, and user education to prevent unauthorized access and financial losses.
Why This Matters Now
The DraftKings credential stuffing attack serves as a stark reminder of the vulnerabilities associated with password reuse and the importance of implementing multi-factor authentication. As cybercriminals continue to exploit these weaknesses, organizations must prioritize enhancing their security measures to protect user accounts and sensitive information.
Attack Path Analysis
In November 2022, attackers utilized credential stuffing to gain unauthorized access to approximately 60,000 DraftKings user accounts. They added new payment methods to 1,600 of these accounts, withdrawing around $600,000. The remaining compromised accounts were sold on cybercriminal marketplaces. The attack did not involve privilege escalation, lateral movement, or command and control stages. The primary impact was financial loss to customers and reputational damage to DraftKings.
Kill Chain Progression
Initial Compromise
Description
Attackers performed credential stuffing, using previously breached credentials to access approximately 60,000 DraftKings user accounts.
MITRE ATT&CK® Techniques
Credential Stuffing
Valid Accounts
Gather Victim Identity Information: Credentials
Application Layer Protocol: Web Protocols
Indicator Removal on Host: File Deletion
Potential Compliance Exposure
Mapping incident impact across multiple compliance frameworks.
PCI DSS 4.0 – Multi-Factor Authentication
Control ID: 8.3.6
NYDFS 23 NYCRR 500 – Access Privileges
Control ID: 500.07
DORA – ICT Risk Management Framework
Control ID: Article 5
CISA ZTMM 2.0 – Identity Verification and Authentication
Control ID: Identity Pillar
NIS2 Directive – Security Measures
Control ID: Article 21
Sector Implications
Industry-specific impact of the vulnerabilities, including operational, regulatory, and cloud security risks.
Gambling/Casinos
DraftKings credential stuffing attack demonstrates critical vulnerability to account takeover, payment fraud, and customer fund theft requiring enhanced authentication controls.
Financial Services
Payment method manipulation and fund withdrawal attacks highlight need for egress security, anomaly detection, and zero trust segmentation capabilities.
Computer Software/Engineering
Fantasy sports platforms require multicloud visibility, threat detection systems, and encrypted traffic monitoring to prevent credential stuffing and lateral movement.
Internet
Online betting platforms face elevated risks from cybercriminal marketplaces selling compromised accounts, requiring comprehensive egress filtering and policy enforcement mechanisms.
Sources
- Minnesota man known as ‘Snoopy’ sentenced in DraftKings hackhttps://cyberscoop.com/draftkings-hack-sentencing-nathan-austad-snoopy/Verified
- DraftKings users lose thousands in devious cyberattackhttps://www.techradar.com/news/draftkings-users-lose-thousands-in-devious-cyberattackVerified
- DraftKings users lose $300,000 to credential stuffing attackhttps://www.theregister.com/2022/11/22/draftkings_credential_stuffing_attack/Verified
- DraftKings reveals thousands of customer accounts hit by cyberattackhttps://www.techradar.com/news/draftkings-reveals-thousands-of-customer-accounts-hit-by-cyberattackVerified
Frequently Asked Questions
Cloud Native Security Fabric Mitigations and ControlsCNSF
Aviatrix Zero Trust CNSF is pertinent to this incident as it could have constrained the attacker's ability to exploit compromised accounts, thereby reducing the potential financial impact and limiting unauthorized access.
Control: Cloud Native Security Fabric (CNSF)
Mitigation: The attacker's ability to exploit compromised accounts could have been limited, reducing the potential financial impact and unauthorized access.
Control: Zero Trust Segmentation
Mitigation: While no privilege escalation occurred, Zero Trust Segmentation could have further limited the attacker's ability to gain higher-level access, reducing potential risks.
Control: East-West Traffic Security
Mitigation: Although lateral movement did not occur, East-West Traffic Security could have further limited the attacker's ability to move within the network, reducing potential risks.
Control: Multicloud Visibility & Control
Mitigation: Even though no command and control was used, Multicloud Visibility & Control could have further limited the attacker's ability to establish such channels, reducing potential risks.
Control: Egress Security & Policy Enforcement
Mitigation: The attacker's ability to exfiltrate funds could have been limited, reducing the financial impact of the attack.
The overall impact of the attack could have been limited, reducing financial losses and reputational damage.
Impact at a Glance
Affected Business Functions
- User Account Management
- Payment Processing
- Customer Support
Estimated downtime: 7 days
Estimated loss: $300,000
Personal information of approximately 68,000 users, including names, addresses, phone numbers, email addresses, and partial payment card details.
Recommended Actions
Key Takeaways & Next Steps
- • Implement multi-factor authentication (MFA) to prevent unauthorized access through compromised credentials.
- • Enforce strong password policies and educate users on the risks of password reuse.
- • Monitor for unusual account activities, such as the addition of new payment methods.
- • Utilize threat detection systems to identify and respond to credential stuffing attempts.
- • Regularly review and update security measures to address emerging threats.
