Executive Summary

DraftKings, a leading sports betting and daily fantasy sports provider, has experienced multiple waves of account breaches due to credential stuffing attacks, with major incidents confirmed in November 2022 and October 2025. Credential stuffing is a technique where attackers use automated tools to test large numbers of stolen username and password pairs, typically obtained from unrelated data breaches, against DraftKings accounts. The 2022 incident resulted in over 67,000 customer accounts being compromised and up to $300,000 in unauthorized withdrawals, all of which were refunded. The 2025 incident, while much smaller in scale, affected fewer than 30 customers and did not result in financial loss. In both cases, there is no evidence that DraftKings’ own systems were breached; attackers exploited reused credentials from other sites. Exposed data included names, addresses, dates of birth, phone numbers, email addresses, last four digits of payment cards, and account activity details, but not full financial account numbers or government-issued IDs. DraftKings responded by enforcing password resets, enhancing fraud alerts, and recommending multifactor authentication. These incidents highlight the persistent risk of credential reuse and the importance of strong authentication controls in the online gambling sector. All information in this summary is directly supported by the cited sources: https://www.bleepingcomputer.com/news/security/draftkings-warns-of-account-breaches-in-credential-stuffing-attacks/, https://www.bitdefender.com/en-us/blog/hotforsecurity/some-draftkings-accounts-compromised-in-credential-stuffing-attack-company-promises-to-return-lost-funds, and https://topclassactions.com/lawsuit-settlements/privacy/data-breach/draftkings-data-breach-exposes-data-of-67k-customers/.

Technical Information

Credential stuffing is a form of automated attack where threat actors use large sets of stolen username and password combinations, typically sourced from previous unrelated data breaches, to attempt unauthorized logins on a target platform. In the case of DraftKings, attackers leveraged this technique to gain access to customer accounts in both 2022 and 2025. The attack methodology involved the use of automated credential stuffing tools, which are widely available and capable of testing millions of credential pairs in a short period. These tools, such as Sentry MBA, Snipr, or OpenBullet, are designed to bypass basic security controls by mimicking legitimate login attempts and distributing requests across multiple IP addresses to avoid detection and rate-limiting. While the specific tool used in the DraftKings incidents was not named in the available sources, the attack pattern is consistent with these frameworks, as confirmed by FBI advisories referenced in the BleepingComputer report (https://www.bleepingcomputer.com/news/security/draftkings-warns-of-account-breaches-in-credential-stuffing-attacks/).

The technical sequence of the attack began with the acquisition of credential lists from previous breaches. Attackers then used automated scripts to attempt logins on DraftKings accounts. Upon successful authentication, attackers could access sensitive personal information, including the customer’s name, address, date of birth, phone number, email address, last four digits of a payment card, profile photo, transaction history, account balance, and the date the password was last changed. In the 2022 incident, attackers escalated their access by changing two-factor authentication (2FA) settings, redirecting 2FA codes to their own devices and locking out legitimate users. This allowed them to initiate unauthorized withdrawals, sometimes directly from linked bank accounts, before the account owner could regain control. The 2025 incident followed a similar pattern but was detected and contained more rapidly, affecting fewer than 30 customers and resulting in no financial loss.

The attacks did not involve malware deployment, phishing, or exploitation of vulnerabilities in DraftKings’ infrastructure. All available evidence, including statements from DraftKings and regulatory filings, confirms that the attackers did not breach the company’s internal systems. Instead, the attacks relied entirely on credential reuse by customers and the absence or misconfiguration of multifactor authentication. The MITRE ATT&CK framework maps these activities to several techniques: Valid Accounts (T1078), Brute Force: Credential Stuffing (T1110.004), Modify Authentication Process (T1556), Data from Information Repositories (T1213), and Transfer Funds (T1657). The evidence for these mappings is strong, as all are directly supported by the primary sources and regulatory disclosures.

The gambling and sports betting sector is particularly vulnerable to credential stuffing due to the high value of stored funds and the prevalence of linked bank accounts. Attackers are incentivized to target such platforms because successful account takeovers can yield immediate financial rewards. The sector also faces heightened regulatory and reputational risks, as demonstrated by the class action lawsuits and regulatory filings following the 2022 incident. The FBI and industry advisories have repeatedly warned that credential stuffing attacks are increasing in frequency and sophistication, driven by the availability of aggregated credential lists and automated attack tools.

No specific threat actor or group has been publicly attributed to the DraftKings incidents. The use of commodity tools and reliance on previously breached credentials is typical of financially motivated cybercriminals rather than advanced persistent threat (APT) groups. There is no evidence of malware, unique infrastructure, or other technical artifacts that would allow for higher-confidence attribution. The attacks are best characterized as opportunistic, targeting users who reuse credentials across multiple platforms and who have not enabled strong authentication controls.

The technical response from DraftKings included forced password resets for affected accounts, the implementation of additional fraud alerts, and the recommendation or enforcement of multifactor authentication for all users. In the 2022 incident, the company refunded up to $300,000 to affected customers and advised users to unlink their bank accounts, change their passwords, and monitor their financial statements for suspicious activity. In the 2025 incident, the company acted quickly to contain the attack, and no financial losses were reported.

The evidence supporting these technical conclusions is robust, as it is based on direct statements from DraftKings, regulatory filings, and independent reporting from BleepingComputer, Bitdefender, and Top Class Actions. The absence of malware, phishing, or infrastructure compromise is explicitly stated in the company’s disclosures and corroborated by all primary sources.

Affected Versions & Timeline

The credential stuffing attacks against DraftKings occurred in two major waves. The first confirmed incident took place in November 2022, with public disclosure and regulatory filings following in December 2022. During this incident, more than 67,000 customer accounts were compromised, and up to $300,000 was withdrawn by attackers before the breach was detected and contained. The second incident was identified in early October 2025, with notification letters sent to affected customers on October 2, 2025, and public confirmation on October 7, 2025. This more recent attack affected fewer than 30 customers and did not result in any financial loss.

The affected platform in both incidents was the DraftKings online sportsbook and daily fantasy sports service. There is no evidence that any specific software version or infrastructure component was exploited; the attacks were successful due to credential reuse by customers and the absence or misconfiguration of multifactor authentication. The company’s internal systems and networks were not breached in either incident, as confirmed by DraftKings and regulatory filings.

The timeline of key events is as follows: In November 2022, attackers launched a large-scale credential stuffing campaign, resulting in unauthorized access to over 67,000 accounts. The breach was disclosed to regulators and the public in December 2022, and affected customers were notified and refunded. In October 2025, a new wave of credential stuffing attacks was detected, with fewer than 30 accounts compromised. The company responded by notifying affected customers, enforcing password resets, and recommending multifactor authentication.

Threat Activity

The threat activity observed in the DraftKings incidents is characteristic of financially motivated cybercriminals employing automated credential stuffing techniques. Attackers obtained large lists of username and password pairs from previous, unrelated data breaches and used automated tools to test these credentials against DraftKings accounts. The primary objective was to gain unauthorized access to accounts with stored funds or linked bank accounts, enabling the theft of personal information and the withdrawal of funds.

In the 2022 incident, attackers escalated their access by changing two-factor authentication settings, effectively locking out legitimate users and facilitating rapid unauthorized withdrawals. The attackers’ activities included viewing and exfiltrating personal data, changing account settings, and initiating financial transactions. The scale of the attack was significant, with over 67,000 accounts compromised and up to $300,000 stolen before the breach was contained. The company refunded all affected customers and implemented additional security measures.

The 2025 incident followed a similar pattern but was detected and contained more rapidly, limiting the impact to fewer than 30 accounts and preventing financial loss. The attackers did not breach DraftKings’ internal systems or infrastructure; all unauthorized access was achieved through credential reuse and the absence or misconfiguration of multifactor authentication.

The threat activity did not involve malware deployment, phishing, or exploitation of software vulnerabilities. The attacks were entirely dependent on the availability of stolen credentials and the use of automated tools to perform large-scale login attempts. The absence of technical artifacts, such as malware samples or unique infrastructure, limits the ability to attribute the attacks to a specific threat actor or group. The activity is consistent with opportunistic, financially motivated cybercriminals targeting high-value accounts in the gambling and sports betting sector.

Mitigation & Workarounds

Mitigation of credential stuffing attacks requires a multi-layered approach, with the most critical controls prioritized as follows:

Critical: Enforce multifactor authentication (MFA) for all customer accounts, especially those with stored funds or linked bank accounts. MFA significantly reduces the risk of account takeover, even if credentials are compromised.

High: Implement robust password policies that require unique, complex passwords for each account. Educate users about the risks of credential reuse and provide tools or guidance for creating and managing strong passwords.

High: Deploy automated detection and response systems to identify and block credential stuffing attempts. This includes rate-limiting login attempts, monitoring for unusual login patterns, and using device fingerprinting to detect automated tools.

Medium: Require periodic password resets for all users, especially following a known breach or credential stuffing campaign. Notify users of suspicious login activity and provide clear instructions for securing their accounts.

Medium: Encourage or require users to unlink bank accounts or payment methods if suspicious activity is detected. Provide guidance on monitoring financial statements and credit reports for signs of fraud.

Low: Offer security awareness training to customers, emphasizing the importance of unique credentials and the dangers of phishing and credential reuse.

DraftKings’ response to the incidents included forced password resets, the implementation of additional fraud alerts, and the recommendation or enforcement of multifactor authentication. The company also refunded affected customers and provided guidance on securing accounts and monitoring for fraud. These measures align with industry best practices for mitigating credential stuffing attacks.

References

BleepingComputer (October 7, 2025): https://www.bleepingcomputer.com/news/security/draftkings-warns-of-account-breaches-in-credential-stuffing-attacks/

Bitdefender (November 22, 2022): https://www.bitdefender.com/en-us/blog/hotforsecurity/some-draftkings-accounts-compromised-in-credential-stuffing-attack-company-promises-to-return-lost-funds

Top Class Actions (December 21, 2022): https://topclassactions.com/lawsuit-settlements/privacy/data-breach/draftkings-data-breach-exposes-data-of-67k-customers/

About Rescana

Rescana provides a third-party risk management (TPRM) platform designed to help organizations identify, assess, and monitor risks associated with external vendors and partners. Our platform enables continuous monitoring of vendor security posture, supports incident response workflows, and facilitates evidence-based risk assessments. For questions about this report or to discuss how Rescana can support your risk management program, please contact us at ops@rescana.com.