- On September 2, 2025, DraftKings accounts were compromised via credential stuffing or brute force attack.
- Public data includes names, email addresses, phone numbers, payment card numbers, and account information.
- Customers are strongly encouraged to reset passwords, enable 2FA, and monitor credit reports for fraud.
Gambling company DraftKings has warned some of its users that their accounts have been hacked and some sensitive data stored there has been accessed.
In a data breach notification letter published on the official website of the Commonwealth of Massachusetts, DraftKings explained that its systems were not hacked and that it was either a credential stuffing or brute-force attack that occurred on September 2, 2025.
“However, by stealing login credentials from a non-DraftKings source and using them in this attack, the attacker may have temporarily been able to log into the accounts of certain DraftKings customers,” the email said. “Importantly, our investigation to date has not found any evidence that your login credentials were obtained from DraftKings or that DraftKings computer systems or networks were compromised as part of this incident.”
Was anything “delicate” stolen?
The company did not say how many people were injured in the attack or who attacked them. It said the data exposed included people's names, dates of birth, phone numbers, email addresses, the last four digits of their payment cards, profile photos, information about previous transactions, account balances and the date they last changed their password.
This is a lot of information and can be used for all sorts of malicious purposes. Attackers can use it for financial fraud, identity theft, account takeover, spear phishing, SIM swapping attacks, social engineering and ultimately extortion.
DraftKings emphasized that “sensitive” customer information such as government-issued identification numbers, full financial account numbers or “other information that would allow an attacker to commit identity theft or to access our clients’ bank accounts.”
It now urges customers to reset their login credentials, configure two-factor authentication, and introduce additional safeguards. They also asked them to check their accounts and credit reports and consider security locks and fraud alerts.
By using BeepingComputer
Follow TechRadar on Google News. And add us as your preferred source to get our expert news, reviews and opinions in your feeds. Be sure to click the “Subscribe” button!
And of course you can also Follow TechRadar on TikTok. for news, reviews, unboxing videos and get regular updates from us on whatsapp too much.
