DraftKings reports credential stuffing attack targeting customer accounts
Learn More
Sports betting and online gaming company DraftKings is reporting a credential stuffing attack that compromised customer accounts and exposed personal information of undisclosed number of users.
The attack was conducted using stolen login credentials obtained from external sources unrelated to DraftKings. DraftKings claims that there is no evidence the login credentials were obtained from DraftKings' systems. The exposed data includes
- Full names
- Physical addresses
- Email addresses
- Phone numbers
- Dates of birth
- Profile photos
- Last four digits of payment cards
- Transaction information and history
- Account balances
- Details on when passwords were last changed
The company detected the incident on September 2, 2025, after noting unauthorized login attempts on customer accounts. The company claims that fewer than 30 customers were affected nationally.
The company is requiring all potentially impacted individuals to reset their DraftKings account passwords and has mandated multifactor authentication for logins to DraftKings Horse accounts.
