DraftKings warns of account breaches in credential stuffing attacks

Sports betting giant DraftKings has notified an undisclosed number of customers that their accounts had been hacked in a recent wave of credential stuffing attacks.

DraftKings, a gambling company based in Boston and founded in 2012, provides sportsbook and daily fantasy sports (DFS) services and is an official partner of the NFL, NHL, PGA TOUR, WNBA, UFC, and NASCAR. DraftKings employs over 5,100 people and reported revenues of $4.77 billion at the end of 2024.

In data breach notification letters sent on Thursday, October 2, DraftKings informed affected customers that attackers had gained access to their accounts and a “limited amount” of their data in attacks that bore all the signs of a credential stuffing campaign.

Credential stuffing involves attackers using automated tools to breach user accounts with stolen username/password pairs from other online services, a tactic that is especially effective against those who reuse credentials across multiple platforms. The threat actors aim to take over accounts to steal personal and financial information, which can later be sold on the dark web or used for identity theft and other malicious purposes.

However, the company said the attackers didn’t access sensitive data like “government-issued identification numbers, full financial account numbers,” or other information that would’ve enabled them to breach customers’ bank accounts or commit identity theft.

“By stealing login credentials from a non-DraftKings source and using them in this attack, however, the bad actor may have temporarily been able to log into certain DraftKings customers’ accounts,” DraftKings said.

“In the event your account was accessed, the attacker may have been able to view your name, address, date of birth, phone number, email address, last four digits of a payment card, profile photo, information about prior transactions, account balance, and date your password was last changed.”

In response to these attacks, the company will require potentially affected customers to reset their DraftKings account passwords and enable multifactor authentication for logins to DK Horse accounts.

DraftKings also advised customers to change their account passwords, review their bank accounts and credit reports, place security freezes on their credit reports, and set up fraud alerts on their credit files as a precaution.

A DraftKings spokesperson was not immediately available for comment when contacted by BleepingComputer earlier today.

DraftKings also revealed in November 2022 that up to $300,000 was stolen from accounts breached in another credential stuffing campaign. One month later, the sports betting company refunded hundreds of thousands of dollars to 67,995 customers whose accounts had been hacked in the incident.

The FBI has warned for years that credential stuffing attacks are a massively increasing threat due to readily available aggregated lists of leaked credentials and automated tools.

Update 10/7/25: After publishing the story, DraftKings told BleepingComputer that the credential stuffing attacks impacted less than 30 customers.

“DraftKings reported a potential security incident involving suspicious logins to the accounts of less than 30 customers,” a DraftKings spokesperson told BleepingComputer.

“Our investigation to date has observed no evidence that the login credentials used were obtained from DraftKings or that DraftKings’ computer systems or networks were breached. Most importantly, no customers have experienced financial loss because of this incident.”