Sports betting firm DraftKings is notifying users of a recent credential stuffing campaign targeting their online accounts.
The attacks, the company says in a notification letter to the impacted users, were discovered on September 2, and relied on credentials harvested from other sources to log into users’ accounts.
“By stealing login credentials from a non-DraftKings source and using them in this attack, the bad actor may have temporarily been able to log into certain DraftKings customers’ account,” reads a copy of the notification letter that was submitted to the Massachusetts OCABR.
The attackers likely accessed users’ names, addresses, email addresses, phone numbers, dates of birth, profile photos, the last four digits of payment cards, transaction information, account balances, and details on when passwords were last changed.
“Importantly, our investigation to date has observed no evidence that your login credentials were obtained from DraftKings or that DraftKings’ computer systems or networks were breached as part of this incident,” the company says.
DraftKings also notes that it has no evidence that information such as government-issued ID numbers, financial account numbers, or other sensitive information was compromised in the attack.
The company has launched an investigation into the campaign and is requiring the potentially impacted individuals to reset their account passwords. It is also requiring multifactor authentication for logins to DraftKings Horse accounts.
The sports betting firm has not disclosed the number of impacted users. SecurityWeek has emailed DraftKings for additional information on the campaign and will update this article if the company responds.
In 2022, DraftKings disclosed a credential stuffing campaign that hit roughly 68,000 user accounts. In early 2024, Joseph Garrison was sentenced to 18 months in prison, and two other individuals, Nathan Austad and Kamerin Stokes, were indicted over the attacks.
Related: Discord Says User Information Stolen in Third-Party Data Breach
Related: Mainline Health, Select Medical Each Disclose Data Breaches Impacting 100,000 People
Related: Many Attacks Aimed at EU Targeted OT, Says Cybersecurity Agency
Related: A Massive Telecom Threat Was Stopped Right As World Leaders Gathered at UN Headquarters in New York
