DraftKings has disclosed that a recent wave of credential stuffing attacks allowed attackers to access a limited number of customer accounts using credentials stolen from unrelated online services. The Boston-based sports betting and daily fantasy operator began notifying affected users on October 2, 2025, explaining that the incidents were consistent with credential reuse rather than a compromise of its own systems.
The company said attackers leveraged automated tools to test username and password combinations obtained from previous breaches elsewhere, resulting in unauthorized logins to fewer than 30 accounts. “By stealing login credentials from a non-DraftKings source and using them in this attack, however, the bad actor may have temporarily been able to log into certain DraftKings customers’ accounts,” the company stated.
DraftKings emphasized that there is no evidence its networks or databases were breached. The exposed data included customers’ names, addresses, phone numbers, email addresses, dates of birth, the last four digits of payment cards, profile photos, account balances, and the date passwords were last changed. However, no government-issued identification numbers, full financial account numbers, or credentials stored by DraftKings were accessed.
“Our investigation to date has observed no evidence that the login credentials used were obtained from DraftKings or that DraftKings’ computer systems or networks were breached. Most importantly, no customers have experienced financial loss because of this incident.” — DraftKings spokesperson
DraftKings, which reported $4.77 billion in revenue for 2024 and employs over 5,100 staff, is an official partner of the NFL, NHL, PGA TOUR, WNBA, UFC, and NASCAR. The company previously suffered a similar credential stuffing campaign in November 2022, when approximately $300,000 was stolen from customer accounts. That incident affected nearly 68,000 users, all of whom were later refunded.
Limited Impact but Renewed Focus on Credential Stuffing Risks in Online Betting Platforms
Following the incident, DraftKings initiated a mandatory password reset for affected accounts and instructed customers to enable multifactor authentication for DK Horse and other services. The company also urged users to adopt unique passwords and review their financial and credit records for potential irregularities. Customers were advised to place security freezes on their credit files and activate fraud alerts as a preventive step.
Credential stuffing, a form of automated cyberattack, continues to be a major threat to online businesses, particularly in sectors where account balances can be quickly monetized. Attackers aggregate massive lists of previously leaked credentials and use bots to attempt logins across popular platforms. Success rates may be low per attempt, but at scale, the attacks yield consistent results when users reuse credentials.
According to the FBI, credential stuffing has been increasing sharply due to the proliferation of leaked credential databases and readily available automation tools. The technique has become especially profitable in the gambling, e-commerce, and streaming industries, where account access can be rapidly converted into financial gain or sold on underground marketplaces.
DraftKings’ statement underscores this broader risk landscape. The company reiterated that no customer funds were lost and that its investigation found no evidence of direct compromise. However, the company’s swift mitigation measures indicate growing industry concern over credential stuffing’s recurrence and the difficulty of fully preventing such incidents despite robust security frameworks.
“By forcing password resets and expanding multifactor authentication, DraftKings is addressing the most common vulnerability exploited in credential stuffing—credential reuse across multiple platforms.”
The incident highlights the continuing necessity for layered authentication and behavioral monitoring in online betting ecosystems, where real-time detection of suspicious logins is critical. Industry analysts note that while credential stuffing often targets consumers directly, its reputational and compliance implications for service providers can be substantial.
DraftKings’ handling of the breach—rapid disclosure, mandatory resets, and transparent investigation updates—demonstrates an operational response aligned with regulatory expectations for incident reporting. Still, experts warn that as long as large repositories of leaked credentials remain available online, credential stuffing will continue to threaten any digital service relying on password-based authentication.
For DraftKings’ customers, the message is clear: unique passwords and multifactor authentication are no longer optional. For the wider gaming industry, the incident serves as another reminder that even indirect data exposures can translate into real operational and reputational risk.
