DraftKings suffered a credential stuffing or brute-force attack on September 2, 2025, compromising customer accounts. While the company confirmed its systems were not directly breached, attackers used stolen credentials from external sources to access accounts. Exposed data included names, email addresses, phone numbers, dates of birth, last four digits of payment cards, profile photos, transaction histories, account balances, and password change dates—though DraftKings claimed no government-issued IDs, full financial details, or data enabling direct identity theft were accessed.The incident poses risks of financial fraud, targeted phishing, SIM-swap attacks, social engineering, and extortion, as the leaked information can be weaponized for follow-up attacks. DraftKings advised users to reset passwords, enable two-factor authentication (2FA), monitor credit reports, and consider security freezes. The attack highlights vulnerabilities in reused credentials and underscores the need for stronger authentication measures. No ransomware was involved, but the scale of exposed personal and financial fragments raises concerns over long-term misuse.
TPRM report: https://www.rankiteo.com/company/draftkings-inc-
"id": "dra4092140100825",
"linkid": "draftkings-inc-",
"type": "Cyber Attack",
"date": "9/2025",
"severity": "85",
"impact": "4",
"explanation": "Attack with significant impact with customers data leaks"{'affected_entities': [{'industry': 'Online Gambling/Sports Betting',
'location': 'Boston, Massachusetts, USA',
'name': 'DraftKings',
'type': 'Public Company'}],
'attack_vector': ['Credential Stuffing', 'Brute-Force Attack'],
'customer_advisories': 'Public notification via Massachusetts disclosure; '
'direct communication to affected users.',
'data_breach': {'data_exfiltration': True,
'personally_identifiable_information': True,
'sensitivity_of_data': 'Moderate to High (PII but no full '
'financial/account details)',
'type_of_data_compromised': ['Names',
'Email Addresses',
'Phone Numbers',
'Dates of Birth',
'Last Four Digits of Payment '
'Cards',
'Profile Photos',
'Transaction History',
'Account Balances',
'Last Password Change Dates']},
'date_detected': '2025-09-02',
'description': 'DraftKings accounts were compromised via credential stuffing '
'or brute-force attack on September 2, 2025. Exposed data '
'includes names, emails, phone numbers, partial payment card '
'digits, and account details. Customers are urged to reset '
'passwords, enable 2FA, and monitor credit reports for fraud. '
'DraftKings clarified its systems were not breached; the '
'attack leveraged credentials stolen from non-DraftKings '
'sources.',
'impact': {'brand_reputation_impact': 'Moderate (public disclosure of account '
'compromises)',
'customer_complaints': 'Likely (urged to reset passwords and '
'monitor accounts)',
'data_compromised': True,
'identity_theft_risk': 'High (exposed PII enables phishing, '
'SIM-swap, social engineering)',
'operational_impact': 'Low (No direct system breach; customer '
'account access only)',
'payment_information_risk': 'Partial (last four digits of payment '
'cards exposed)'},
'initial_access_broker': {'entry_point': 'Stolen credentials from third-party '
'sources',
'high_value_targets': ['Customer Accounts with '
'Payment/Transaction Data']},
'investigation_status': 'Ongoing (no evidence of DraftKings system breach; '
'external credential theft confirmed)',
'lessons_learned': 'Credential reuse across platforms enables account '
'takeovers even without direct system breaches. Proactive '
'measures like 2FA and password hygiene are critical for '
'both users and platforms.',
'motivation': ['Financial Fraud',
'Identity Theft',
'Account Takeover',
'Phishing',
'Extortion'],
'post_incident_analysis': {'corrective_actions': ['Mandatory 2FA '
'implementation',
'Password policy '
'enforcement',
'User education campaigns'],
'root_causes': ['Credential reuse by customers '
'across platforms',
'Lack of enforced 2FA for all '
'accounts']},
'recommendations': ['Enforce 2FA for all user accounts',
'Implement password complexity requirements and periodic '
'resets',
'Monitor for credential stuffing attempts',
'Educate users on password hygiene and phishing risks',
'Offer credit monitoring services to affected users'],
'references': [{'source': 'BleepingComputer'},
{'source': 'TechRadar'},
{'source': 'Commonwealth of Massachusetts (Data Breach '
'Notification)'}],
'regulatory_compliance': {'regulatory_notifications': ['Massachusetts '
'Commonwealth (public '
'disclosure)']},
'response': {'communication_strategy': ['Public Disclosure via Massachusetts '
'Commonwealth',
'Customer Advisory Letters',
'Media Outreach (e.g., '
'BleepingComputer, TechRadar)'],
'containment_measures': ['Password Resets', '2FA Enforcement'],
'incident_response_plan_activated': True,
'remediation_measures': ['Customer Notifications',
'Credit Monitoring Recommendations']},
'stakeholder_advisories': 'Customers urged to reset passwords, enable 2FA, '
'monitor accounts, and consider credit '
'freezes/fraud alerts.',
'title': 'DraftKings Account Compromise via Credential Stuffing/Brute-Force '
'Attack',
'type': ['Account Takeover', 'Data Breach'],
'vulnerability_exploited': 'Weak/Reused Passwords (from third-party sources)'}