DraftKings has notified an undisclosed number of customers that their accounts were accessed in a series of credential stuffing attacks. DraftKings, based in Boston and founded in 2012, operates sportsbook and daily fantasy sports services and reported $4.77 billion in revenue at the end of 2024.
In data breach notification letters sent on October 2, DraftKings informed affected customers that attackers had gained access to accounts and a ‘limited amount’ of their data in attacks that bore the hallmarks of credential stuffing. Credential stuffing involves automated attempts to use username and password pairs stolen from other services to take over accounts, a tactic that is particularly effective when people reuse credentials.
DraftKings said the attackers did not access sensitive information such as government-issued identification numbers or full financial account numbers, but that by using credentials stolen from a non-DraftKings source the threat actor may have been able to view certain account details. The company listed name, address, date of birth, phone number, email address, last four digits of a payment card, profile photo, prior transaction information, account balance and the date the password was last changed.
The company will require potentially affected customers to reset their DraftKings passwords and to enable multifactor authentication for DK Horse accounts. DraftKings also advised customers to change account passwords, review bank and credit statements, place security freezes on credit reports and set fraud alerts as a precaution.
DraftKings disclosed a similar credential stuffing incident in November 2022 in which up to $300,000 was stolen from accounts and later refunded hundreds of thousands of dollars to 67,995 customers. The FBI has warned in recent years that credential stuffing is an increasing threat because of aggregated lists of leaked credentials and readily available automated tools.