DraftKings, a leading American sports gambling company, detected and thwarted a credential stuffing attack on September 2, 2025. The attack involved unauthorized access to user accounts using stolen login credentials obtained from external breaches, not from DraftKings’ systems. While no evidence suggested a direct breach of DraftKings’ infrastructure or theft of highly sensitive data (e.g., full financial details, government-issued IDs, or data enabling identity theft), attackers may have temporarily accessed certain customer accounts.Potentially exposed information included names, addresses, dates of birth, phone numbers, email addresses, last four digits of payment cards, profile photos, transaction details, account balances, and password change dates. DraftKings responded by forcing password resets, enabling multifactor authentication (MFA) for affected accounts, and implementing additional technical safeguards. Users were notified and advised to secure their accounts. The company emphasized that no systemic breach occurred, and no critical financial or identification data was compromised. This incident follows a similar 2022 attack where 68,000 accounts were compromised via credential stuffing.
TPRM report: https://www.rankiteo.com/company/draftkings-inc-
"id": "dra5192751100825",
"linkid": "draftkings-inc-",
"type": "Cyber Attack",
"date": "6/2022",
"severity": "60",
"impact": "2",
"explanation": "Attack limited on finance or reputation"{'affected_entities': [{'customers_affected': 'Limited subset (exact number '
'undisclosed)',
'industry': ['Sports Betting',
'Online Gambling',
'Fantasy Sports'],
'location': 'United States',
'name': 'DraftKings',
'type': 'Public Company'}],
'attack_vector': 'Stolen credentials from third-party breaches (credential '
'stuffing)',
'customer_advisories': ['Reset passwords immediately.',
'Enable MFA on DraftKings accounts.',
'Avoid reusing passwords across services.',
'Monitor accounts for suspicious activity.'],
'data_breach': {'personally_identifiable_information': True,
'sensitivity_of_data': 'Moderate (no full financial/ID data)',
'type_of_data_compromised': ['Personal Identifiable '
'Information (PII)',
'Partial Payment Information',
'Account Metadata']},
'date_detected': '2025-09-02',
'date_publicly_disclosed': '2025-10-08',
'description': 'DraftKings detected and contained a credential stuffing '
'attack targeting user accounts on September 2, 2025. The '
'attack used stolen logins from non-DraftKings sources, but no '
"evidence suggests a breach of DraftKings' systems or theft of "
'sensitive data (e.g., full financial details, '
'government-issued IDs). Potentially accessed data includes '
'names, addresses, dates of birth, phone numbers, email '
'addresses, partial payment card details, profile photos, '
'transaction details, account balances, and password change '
'dates. Impacted users were notified and advised to reset '
'passwords and enable MFA. DraftKings implemented additional '
'safeguards to prevent future attacks.',
'impact': {'brand_reputation_impact': 'Low (proactive response, no sensitive '
'data exposed)',
'data_compromised': ['Names',
'Addresses',
'Dates of birth',
'Phone numbers',
'Email addresses',
'Last four digits of payment cards',
'Profile photos',
'Transaction details',
'Account balances',
'Password change dates'],
'identity_theft_risk': 'Low (no full financial/ID data exposed)',
'operational_impact': 'Minimal (contained quickly)',
'payment_information_risk': 'Low (only last four digits of cards '
'exposed)',
'systems_affected': ['User accounts (limited subset)']},
'initial_access_broker': {'entry_point': 'Stolen credentials from third-party '
'breaches',
'high_value_targets': 'User accounts with reusable '
'credentials'},
'investigation_status': 'Completed (no evidence of systemic breach or '
'sensitive data theft)',
'lessons_learned': ['Credential stuffing remains a persistent threat due to '
'password reuse across services.',
'Proactive measures like MFA and password resets can '
'mitigate account takeover risks.',
'User education on password hygiene is critical to '
'prevent such attacks.'],
'motivation': ['Account Takeover', 'Fraud (potential)'],
'post_incident_analysis': {'corrective_actions': ['Expanded MFA requirements.',
'Enhanced monitoring for '
'credential stuffing '
'patterns.',
'User notifications for '
'password resets.'],
'root_causes': ['Users reusing passwords across '
'multiple platforms.',
'Lack of MFA enforcement for all '
'accounts (prior to incident).']},
'recommendations': ['Enforce MFA for all user accounts, not just high-risk '
'subsets.',
'Implement automated detection for credential stuffing '
'attempts (e.g., failed login thresholds).',
'Partner with haveibeenpwned.com or similar services to '
'alert users of exposed credentials.',
'Conduct regular audits of authentication logs for '
'anomalous activity.'],
'references': [{'date_accessed': '2025-10-08',
'source': 'SecurityAffairs',
'url': 'https://securityaffairs.com/153820/data-breach/draftkings-credential-stuffing-attack.html'}],
'response': {'communication_strategy': ['Data breach notifications to '
'impacted users',
'Public disclosure via media '
'(SecurityAffairs)'],
'containment_measures': ['Forced password resets for impacted '
'users',
'Enabled multifactor authentication '
'(MFA) for DK Horse accounts'],
'enhanced_monitoring': True,
'incident_response_plan_activated': True,
'remediation_measures': ['Internal investigation',
'Implementation of new technical '
'safeguards']},
'stakeholder_advisories': 'Impacted users notified via email with remediation '
'steps.',
'title': 'DraftKings Thwarts Credential Stuffing Attack, Urges Password Reset '
'and MFA',
'type': ['Credential Stuffing', 'Unauthorized Access'],
'vulnerability_exploited': 'Reused passwords across multiple services'}