BCLC Urges PlayNow Users to Change Passwords Amid Cybercrime Alert

21

The British Columbia Lottery Corp. (BCLC) is urging users of its PlayNow online gambling platform to change their passwords following the detection of a high volume of credential-stuffing attacks on the platform. Credential stuffing is a cybercrime technique where hackers use stolen log-in credentials, often obtained from large-scale data breaches and sold on the Dark Web, to access user accounts. Cybercriminals bank on the fact that many people reuse their usernames and passwords across multiple websites.

PlayNow, operated and regulated by the BCLC, stands as British Columbia’s sole legal gambling platform. In a statement released on Thursday, the organization recommended that users change their passwords as a precautionary measure. BCLC emphasized that the stolen credentials originated from other companies’ websites and noted that only a small percentage of PlayNow users were likely to be affected.


TRUSTED PARTNER ✅ Bitcoin Casino


“This is a deeply concerning incident and a cautionary tale for everyone with multiple online accounts,” said BCLC president and CEO Pat Davis. He reassured users by stating, “Our investigation remains ongoing, and we have found no evidence that our systems have been compromised, or that player login information was stolen from our systems.”

The BCLC revealed they had already notified the impacted users, whose accounts were locked due to suspicious activity. The investigation into the credential-stuffing attacks continues.

“Integrity and security are at the core of our business and our games,” Davis added, emphasizing their ongoing commitment to enhancing PlayNow’s security controls to protect player information.

This incident is part of a broader trend affecting online gambling operators, as cyberattacks have been a persistent issue since the industry’s inception. Credential stuffing, in particular, is becoming an increasingly prevalent threat.

In a related case, a credential-stuffing attack in November 2022 resulted in the theft of over $600,000 from around 1,600 DraftKings accounts, causing a 5% decline in the company’s shares on the Nasdaq. The attack occurred shortly after DraftKings had launched in multiple U.S. state markets, sparking concerns among investors about consumer confidence.

Federal agents arrested Joseph Garrison, an 18-year-old from Wisconsin, in February 2023 for his involvement in the DraftKings attacks. Garrison had used credential-stuffing software to access user accounts, set up new payment methods, deposit small amounts, and then withdraw all available funds. Prosecutors revealed that Garrison had files containing nearly 40 million pairs of usernames and passwords on his computer and had once boasted to a co-conspirator that “fraud is fun.” He was sentenced to 18 months in prison in January 2004.

The BCLC’s swift response to the recent credential-stuffing attacks aims to minimize the risk to its users and reinforce the platform’s commitment to security.