Access granted message on screen showing credential stuffing attacks

Credential Stuffing Attacks Compromise DraftKings User Accounts

Sporting firm DraftKings is notifying customers of a data breach stemming from credential stuffing attacks that allowed unauthorized third parties to access certain accounts.

Credential stuffing involves compromising user accounts using leaked passwords obtained from other services. It particularly affects users who reuse passwords.

Boston-based DraftKings partners with major leagues, including the NFL, NHL, PGA TOUR, WNBA, UFC, and NASCAR, and reported annual revenue of $4.77 billion in 2024.

The fantasy sports services said it detected the cyber attack on September 2, 2025, and responded by launching an investigation and taking additional steps to mitigate the incident.

However, the results of its investigation determined that the threat actor had accessed personal details from certain customer accounts.

“Importantly, our investigation to date has observed no evidence that your login credentials were obtained from DraftKings or that DraftKings’ computer systems or networks were breached as part of this incident,” the company stated in a data breach notification filed in Massachusetts.

Credential stuffing attacks compromised “limited” DraftKings user data

DraftKings said the credential stuffing attacks exposed the victims’ names, addresses, dates of birth, phone numbers, email addresses, last four digits of their payment cards, and profile photos.

The breach also leaked customer account information, such as transaction information, account balance, and last password reset date. However, the threat actors did not access government-issued ID numbers, such as driver’s licenses, and full financial account numbers.

The company also stressed that the stolen passwords did not originate from any of its services and its internal computer systems were unaffected.

“By stealing login credentials from a non-DraftKings source and using them in this attack, the bad actor may have temporarily been able to log into certain DraftKings customers’ accounts.”

Subsequently, DraftKings advised its users to reset their account passwords and enable multi-factor authentication to avoid becoming victims of subsequent credential stuffing attacks.

“DraftKings is now requiring multifactor authentication only for potentially affected users, instead of enforcing it across the board,” lamented Steve Cobb, Chief Information Security Officer at SecurityScorecard. “That selective response reflects a reactive mindset, not a preventative one.”

Seemingly, the company is not offering identity theft protection services, but advised its users to monitor their financial statements and credit reports for any suspicious activity.

“You can regularly review statements from your accounts and periodically obtain your credit report from one or more of the national credit reporting companies,” the company said.

So far, DraftKings has not attributed the credential stuffing attacks to any threat group, and no cybercrime gang has claimed responsibility.

Although leaked credentials are readily available for sale on the dark web, the source of the leaked login details remains undisclosed.

Not the first credential stuffing attack for DraftKings

DraftKings is no stranger to credential stuffing attacks, raising concerns about its cybersecurity practices in the light of the recurrent credential stuffing attacks.

“DraftKings is facing another credential stuffing breach, nearly identical to the one in 2022 that forced the company to refund three hundred thousand dollars to over sixty-seven thousand customers,” Cobb added. “This time, fewer than thirty accounts were compromised, but attackers still accessed names, addresses, birthdates, contact information, partial payment card digits, account balances, and transaction history. The method has not changed. Threat actors used stolen credentials from other platforms to breach accounts and extract sensitive data.”

In November 2022, cyber miscreants breached DraftKings using compromised credentials from other services. During the breach, the attackers stole $600,000 from customer accounts by adding new payment methods and emptying the victims’ accounts, forcing the company to issue approximately $300,000 in refunds.

“If a three hundred-thousand-dollar breach was not enough to trigger universal protections, what would be?” Cobb asked.

In 2024, Joseph Garrison was sentenced to 1.5 years in prison and 3 years of supervised release in connection with the DraftKings credential stuffing attacks after pleading guilty. He was also ordered to forfeit $175,000 from the proceeds of cybercrime and pay $1.3 million in restitution.

Two other suspects, Nathan Austad, 19, and Kamerin Stokes, 21, were also indicted on conspiracy to commit computer intrusion, two counts of computer fraud, wire fraud conspiracy, wire fraud, and aggravated identity theft. If convicted, they could face up to twenty years in prison.