DraftKings 2022 Credential Stuffing Attack

DraftKings, a prominent online sports betting and fantasy sports platform, experienced a credential stuffing attack in November 2022 that compromised approximately 60,000 user accounts. The attack leveraged credentials obtained from previous data breaches at other organizations, targeting customers who reused passwords across multiple services. The incident resulted in unauthorized access to DraftKings accounts, with attackers gaining control over user funds and personal data.

The attack chain began with threat actors using automated tools to test username-password combinations obtained from third-party breaches against DraftKings' login systems. Successful credential matches provided direct access to user accounts without exploiting platform vulnerabilities. Attackers accessed account balances, personal identification information, and potentially linked payment methods, enabling fraudulent withdrawals and account takeovers. The company confirmed that the breach did not result from a compromise of DraftKings' internal systems but rather from credential reuse by customers.

Three individuals have been charged in connection with the attack, with the third defendant pleading guilty to conspiracy to commit computer intrusion. The U.S. Department of Justice prosecuted the case, citing losses exceeding $600,000 from unauthorized withdrawals. DraftKings implemented mandatory password resets for affected accounts and enhanced authentication monitoring following the incident.