DraftKings warns of credential stuffing using stolen logins; No evidence of data loss, but users must reset passwords and enable MFA.
A credential stuffing campaign is targeting the American sports gambling company DraftKings.
Credential stuffing is a type of cyberattack where hackers use stolen usernames and passwords, usually obtained from previous data breaches, to try to log into other online accounts.
On September 2, 2025, the company detected unauthorized access to some user accounts caused by credential stuffing using stolen logins. The gambling firm quickly investigated and contained the issue. No evidence indicates a breach of its systems or theft of sensitive data such as IDs or full financial details.
“On September 2, 2025, DraftKings became aware of a potential security incident that may have involved unauthorized access to a limited amount of your data. Upon discovering this incident, DraftKings, among other things, promptly investigated and took a number of steps, described below, to contain and remediate the incident.” reads the data breach notification sent to the impacted users. “Importantly, our investigation to date has observed no evidence that your login credentials were obtained from DraftKings or that DraftKings’ computer systems or networks were breached as part of this incident. We also have not observed evidence that any sensitive customer information – that is, government-issued identification numbers, full financial account numbers, or other information that would enable the bad actor to commit identity theft or to access our customers’ bank accounts – was subject to unauthorized access as part of this incident.”
Potentially accessed customer data includes names, addresses, dates of birth, phone numbers, email addresses, the last four digits of payment cards, profile photos, transaction details, account balances, and the dates passwords were last changed.
“By stealing login credentials from a non-DraftKings source and using them in this attack, however, the bad actor may have temporarily been able to log into certain DraftKings customers’ accounts.” continues the notification.
Impacted users were notified and advised to secure their accounts.
DraftKings responded quickly to the incident by launching an internal investigation, forcing password resets for impacted users and enabling multifactor authentication for DK Horse accounts. The company added new technical safeguards to prevent similar attacks in the future.
In November 2022, the betting firm announced that approximately 68,000 accounts had been compromised in another credential stuffing attack.
In November 2023, US teenager Joseph Garrison pleaded guilty to his involvement in the credential stuffing attack. In January 2024, Garrison was sentenced to 18 months in prison.
Follow me on Twitter: @securityaffairs and Facebook and Mastodon
(SecurityAffairs – hacking, credential stuffing)
Laisser un commentaire