397/68 Friday, October 10, 2025
DraftKings, the U.S.-based online sports betting company, has issued a security advisory after detecting a credential stuffing attack on September 2, 2025. The company observed attempts to access some customer accounts using usernames and passwords previously exposed in unrelated data breaches. However, DraftKings confirmed there is no evidence that its systems were compromised or that sensitive information such as government IDs or full financial data was leaked.
Potentially accessed information includes names, addresses, dates of birth, phone numbers, emails, profile pictures, transaction details, account balances, partial membership numbers, and the last four digits of linked payment cards. DraftKings emphasized that the stolen credentials did not originate from its own systems, though attackers may have temporarily logged into certain customer accounts. The company immediately launched an internal investigation, enforced mandatory password resets for affected users, and strengthened security controls, including the mandatory activation of Multi-Factor Authentication (MFA).
This is not the first time DraftKings has been targeted with credential stuffing. In 2022, over 68,000 accounts were compromised, and in 2024, a U.S. court sentenced an 18-year-old attacker involved in that incident to 18 months in prison. The latest incident underscores the risks of password reuse across multiple online services. DraftKings advises customers to create unique, strong passwords, enable MFA, and remain vigilant against cyberattacks of this nature.
