DraftKings, a leading online sports betting and gaming company, has disclosed that it recently experienced a data security incident involving credential stuffing attacks that enabled unauthorized access to some customer accounts.
What happened:
- DraftKings became aware of suspicious login activity on September 2, 2025, triggering an internal investigation.
- According to its notifications submitted to the Massachusetts Attorney General, the attacker(s) used login credentials stolen from non-DraftKings sources to access customer accounts.
- The company states there is no evidence that its internal systems were breached, nor that credentials were taken from DraftKings directly.
The types of data that may have been viewed by attackers vary by account.
DraftKings’ notice lists the following categories:
- Name
- Address
- Date of birth
- Phone number
- Email address
- Last four digits of payment card
- Profile photo
- Transaction history
- Account balance
- Date password was last changed
DraftKings says it has no indication that more sensitive elements—such as full financial account numbers or government-issued identification—were compromised.
In response to the incident, DraftKings has taken several steps:
- Account measures
- Some potentially impacted users are required to reset their account passwords.
- For its “DK Horse” accounts, multi-factor authentication (MFA) is being made mandatory.
- Technical controls
- DraftKings states it has implemented additional safeguards (e.g. rate limiting, anomaly detection) intended to reduce the risk and detect future credential stuffing attempts.
- Customer guidance
- The company recommends affected users monitor bank statements and credit reports, place fraud alerts, and use unique passwords.
DraftKings has not publicly disclosed how many accounts were affected.
Later updates suggest the impact may have been limited: DraftKings reportedly told BleepingComputer the incident affected fewer than 30 customers.
Credential stuffing is a cyberattack technique in which attackers use automated tools to try large numbers of username/password combinations—often harvested from breaches of other services—against a target site.
This method is effective particularly when users reuse the same passwords across multiple sites.
In late 2023, DraftKings was targeted in a major credential stuffing attack carried out by a 19-year-old American who admitted to breaching roughly 60,000 accounts. Funds were stolen from about 1,600 of those accounts. While DraftKings initially estimated the losses at $300,000, the attorney general later reported that damages reached $600,000. The company ultimately chose to reimburse the affected users.
