DraftKings has revealed that it suffered yet another credential stuffing attack. The online sports betting platform is now warning customers that their personal information may be at risk.
-
DraftKings suffers another credential stuffing attack, exposing names, contact info, and partial payment details.
-
The company relays that its systems were not breached; attackers used stolen credentials from other sites to access accounts.
-
Security experts criticize DraftKings’ reactive security, warning similar incidents will persist without "platform-wide safeguards."
The fantasy sportsbook and collection of gambling apps sent out a breach notice to a reportedly limited number of customers impacted by what it labels a “potential security incident.”
The company filed the notice on October 2nd, as listed with the Massachusetts Attorney General’s Office.
“On September 2nd, 2025, DraftKings became aware of a potential security incident that may have involved unauthorized access to a limited amount of your data,” the 3-page letter states.
DraftKings said that as soon as it discovered the attack, it “promptly investigated” and took steps to address the incident, including:
- Initiating an internal investigation,
- Requiring potentially affected customers to reset their DraftKings account passwords
- Requiring multifactor authentication for logins to DK Horse accounts
- Implementing additional technical measures designed to prevent similar attacks
Headquartered in Boston, the DraftKings gambling conglomerate houses five mobile apps – Daily Fantasy Sports, Sportsbook, Casino, Pick6, and DK Horse – to complement its website.
The company also boasts about 30 physical sportsbooks and live locations across more than two dozen states, including Washington, DC.
Data at risk
Identified by the company as a credential stuffing attack, DraftKings warns, “the bad actor may have temporarily been able to log into certain DraftKings customers’ accounts.”
In credential stuffing attacks, threat actors will take a user’s login information – either stolen from other online services or bought off the dark web – and repeatedly attempt to plug those credentials into different accounts, often using automation.
DraftKings explicitly states the credentials used in the September attack were not obtained from DraftKings and that DraftKings’ computer systems or networks were not breached in the incident.
Customer data said to have been accessed by the cybercriminals includes a variety of personally identifiable information (PII), including:
- Name, address, date of birth
- Phone number, email address
- Profile photo
- Last four digits of a payment card
- Information about prior transactions
- Account balance
- Date user password was last changed
The letter further states that government-issued identification and/or full financial account numbers were not compromised.
Hackers on repeat
This latest breach is not the first time a credential stuffing attack has hit the DraftKings sportsbook. In November 2022, DraftKings suffered a similar hack, costing roughly 67,000 customers an estimated $300,000 in losses, which the company was forced to refund.
In the 2022 attack, once the hackers had access to the user accounts, they were said to have quickly changed the users’ passwords, enabling two-factor authentication (2FA) on a different phone number, and then withdrew as much cash as possible from the victims' linked bank accounts.
Some affected customers were reported to have watched the hackers not only take over the accounts in real time, but also watch the money being drained from their accounts as well.
We are aware of reports of customers having issues with their accounts, and we are investigating. If any customers are having issues with their accounts, please contact Customer Experience Team at [email protected]
undefined DraftKings Support (@DK_Assist) November 21, 2022
Steve Cobb, Chief Information Security Officer at SecurityScorecard, points out that the latest breach is “nearly identical” to the 2022 breach. However, he noted that "fewer than thirty accounts were compromised" this time around.
“The method has not changed,” Cobb said. “Threat actors use stolen credentials from other platforms to breach accounts and extract sensitive data. The impact may be smaller, but the pattern is clear. Vendors continue to delay platform-wide safeguards, even after repeated breaches.”
Cobb also slams DraftKings for requiring multifactor authentication only for potentially affected users, instead of enforcing it across the board.
“That selective response reflects a reactive mindset, not a preventative one. If a $300,000 breach was not enough to trigger universal protections, what would be?” he asks.
Cobb believes that "without proactive enforcement and structural safeguards," an attack of this kind is likely to happen again.
“Vendors need to stop treating these breaches as isolated events and start confronting the underlying vulnerabilities that make them inevitable.”
DraftKings is urging customers to change their passwords, monitor their accounts and credit reports for identity theft, and if they choose to, place a security freeze or fraud alert on their credit files.
No cybercriminal group has claimed responsiblity for either attack.
Your email address will not be published. Required fields are markedmarked