back to article DraftKings gamblers lose $300,000 to credential stuffing attack

A credential stuffing attack over the weekend that affected sports betting biz DraftKings resulted in as much as $300,000 being stolen from customer accounts. The Boston-based company said that its systems were not breached but that the login information of the impacted customers was stolen elsewhere and applied to their …

  1. razorfishsl

    This is what happens when you let retard addicts use computers....

    1. Anonymous Coward
      Anonymous Coward

      Oh look, it's a self-referential comment.

    2. Michael Strorm Silver badge

      I wasn't aware that being addicted to retards was a thing.

  2. Spamolot

    Wait - you're telling me people are still using the same passwords or passphrases for multiple websites in 2022?

    Shirley you're joking... don't call me Shirley!

  3. Anonymous Coward
    Anonymous Coward

    Id

    I am hacked, therefore I am

  4. DS999 Silver badge

    Use of the Apple/Google Fido 2FA standard will make this a thing of the past before long

    I don't use the Google one but I assume it works pretty much exactly like it does when I use Apple's. I login to a web site with my Apple ID and I get a notification on my phone and have to unlock it to get a code that I type into the web site. Works a treat, even though I'm running Firefox on Linux when logging into a web site so it doesn't require an all Apple or all Google setup to make it work.

    So far only a couple places I visit are using this, but hopefully it will spread wide and get a bit less friction (i.e. have my PC talk to my phone via bluetooth so all I have to do is glance at it to unlock it and it'll fill in the code for me) Maybe that would already work if I was running macOS+Safari or Windows/Edge, but even without that it is adds the necessary security without the obvious holes that SMS or email based 2FA create, or the hassle of starting up e.g. a third party RSA app (let alone using a dongle)

    1. tiggity Silver badge

      Re: Use of the Apple/Google Fido 2FA standard will make this a thing of the past before long

      Works a treat ... until you are somewhere where there is no mobile signal & no WiFi access allowed for your phone

      1. DS999 Silver badge

        Re: Use of the Apple/Google Fido 2FA standard will make this a thing of the past before long

        SMS based 2FA wouldn't work there either so it is hardly making things worse versus how things were before.

        Anyway, no one is forcing you to use FIDO, if you frequent a place with the above limitations then it won't work for you. The only way you can have a useless phone but still need to login to something on the internet is if you are using a PC installed in that location. i.e. it is almost certainly your workplace and it is up to them to come up with an alternative if they refuse to allow wifi access or install microcells.

    2. Anonymous Coward
      Anonymous Coward

      Re: Use of the Apple/Google Fido 2FA standard will make this a thing of the past before long

      " have my PC talk to my phone via bluetooth so all I have to do is glance at it to unlock it and it'll fill in the code for me"

      $dayjob uses PingID for 2FA. It works pretty much like that (although I unlock with fingerprint). If Bluetooth acts up, it falls back to generating a 6-digit code, like the venerable RSA keyfobs used to do.

  5. trevorde Silver badge

    Biometrics are not revokable

    Not even John Dillinger could change his fingerprints

    1. DS999 Silver badge

      Re: Biometrics are not revokable

      The schemes like FIDO that use your phone rely on your phone and its link back to Apple/Google - your finger/face is only used to unlock it. Someone having a working model of a finger or face that can unlock your phone would ALSO have to have your phone because it needs the link back to Apple/Google you have set up to make it work. If they can compromise your Apple/Google credentials and set up another phone linked to your account, then your finger/face are irrelevant. They can set that phone up with their own finger/face.

      So even if your finger/face could be revoked, it would not increase the security of FIDO 2FA, because that's not what it is depending on. The "something you have" is your phone's link back to home base, not your biometrics.

  6. Pascal Monett Silver badge

    "only about 15 percent of people use strong and unique passwords"

    So that means that 85% of Internet users are ruining the experience for everyone else.

    Well I'm sorry, but I'm part of the 15% and I'll be damned before I allow any website to have my biometric data for security.

    Not until they either 1) prove that they cannot be hacked (yeah, right), or 2) tell me how I can change my fingerprints.

    1. Trigonoceps occipitalis

      Re: "only about 15 percent of people use strong and unique passwords"

      You have eight fingers and two thumbs. I don't know of a finger print authentication needing more than one print out side immigration or seriously secure factories or offices. You have nine spares, just cut the used digit off to prevent a mistake. It will also be an incentive to take more care of your biometrics.

      1. John Brown (no body) Silver badge

        Re: "only about 15 percent of people use strong and unique passwords"

        "It will also be an incentive to take more care of your biometrics."

        It#s not an incentive to those most likely to lose your biometrics through :-)

      2. jvf

        Re:spare digits

        sorry www-no fingerprints for you. However, I'm starting to wonder if there is a business opportunity awaiting for purloined digits from ???

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like