Posted on: August 2, 2024, 04:43h.
Last updated on: August 2, 2024, 04:43h.
The British Columbia Lottery Corp. (BCLC) is asking users of its PlayNow online gambling platform to change their passwords. That’s after a high volume of credential-stuffing attacks was detected on the platform.
Credential stuffing is where a cybercriminal acquires log-in credentials that have typically been stolen during large-scale corporate data breaches and then sold on the Dark Web. Working on the premise that people often use the same user ID and passwords on multiple websites, a hacker can use the stolen credentials to gain access to accounts.
State-owned PlayNow, which is operated and regulated by the BCLC, is British Columbia’s only legal gambling platform. In a Thursday news release, the organization suggested that users change their passwords “as a precautionary measure.” It emphasized that the passwords had been stolen from other companies’ websites and only a small percentage of PlayNow players were likely to be affected.
‘Deeply Concerning’
“This is a deeply concerning incident and a cautionary tale for everyone with multiple online accounts,” BCLC president and CEO Pat Davis said in the release. “Our investigation remains ongoing, and we have found no evidence that our systems have been compromised, or that player login information was stolen from our systems.”
The BCLC said it had already notified impacted players, and their accounts had been locked because of suspicious activity. Its investigation into the matter is ongoing.
Integrity and security are at the core of our business and our games,” Davis added. “We are committed to continuing our ongoing evaluation and enhancement of PlayNow security controls to maintain the safety of our players’ information going forward.”
Cyberattacks against online gambling operators are almost as old as the industry itself, although credential-stuffing is a growing concern.
DraftKings Hack
In November 2022, more than $600K was stolen from around 1,600 DraftKings accounts, causing shares in the company to fall 5% on the Nasdaq. The sportsbook had only recently launched in many US state markets, and investors feared the attack would spark a drop-off in consumer confidence.
In February 2023, federal agents arrested a Wisconsin teenager, Joseph Garrison, then 18, for his role in the attacks.
Garrison and others had used credential stuffing software to gain access to user accounts and set up a new payment method to those accounts. Then they would deposit $5 to verify the new payment method, before withdrawing all the funds, according to court documents.
Garrison, who was sentenced to 18 months in prison in January 2004, had files containing nearly 40 million pairs of usernames and passwords on his computer and once boasted that “fraud is fun” to a co-conspirator, prosecutors said.