- DraftKings accounts were compromised via credential stuffing or brute-force attack on September 2, 2025
- Exposed data includes names, emails, phone numbers, payment card digits, and account details
- Customers are urged to reset passwords, enable 2FA, and monitor credit reports for fraud
Gambling company DraftKings has warned some of its users their accounts were hacked, and some of the sensitive data stored there accessed.
In a data breach notification letter posted on the official website of the Commonwealth of Massachusetts, DraftKings explained its systems were not breached, and that this was either a credential stuffing, or brute-force attack which happened on September 2, 2025.
“By stealing login credentials from a non-DraftKings source and using them in this attack, however, the bad actor may have temporarily been able to log into certain DraftKings customers’ accounts,” the letter reads. “Importantly, our investigation to date has observed no evidence that your login credentials were obtained from DraftKings or that DraftKings’ computer systems or networks were breached as part of this incident.”
Nothing "sensitive" was stolen?
The company did not say how many people were affected by the attack, or who attacked them. It said that the data exposed includes people’s names, dates of birth, phone numbers, email addresses, last four digits of their payment cards, profile photos, information about prior transactions, account balance, and the date of the last password change.
This is a lot of information, and can be used in all sorts of malicious ways. Attackers can use it in financial fraud, identity theft, account takeovers, targeted phishing, SIM-swap attacks, social engineering, and ultimately - extortion.
DraftKings stressed that “sensitive” customer information such as government-issued ID numbers, full financial account numbers, or “other information that would enable the bad actor to commit identity theft or to access our customers’ bank accounts” was not accessed.
It is now urging customers to reset their login credentials, set up two-factor authentication, and implement additional safeguards. It also asked them to review their account and credit reports, and consider placing security freezes and fraud alerts.
Via BleepingComputer
Follow TechRadar on Google News and add us as a preferred source to get our expert news, reviews, and opinion in your feeds. Make sure to click the Follow button!
And of course you can also follow TechRadar on TikTok for news, reviews, unboxings in video form, and get regular updates from us on WhatsApp too.
You might also like
- Massive database containing identity info on 252 million people leaked online - here's what we know
- Take a look at our guide to the best authenticator app
- We've rounded up the best password managers
You must confirm your public display name before commenting
Please logout and then login again, you will then be prompted to enter your display name.