Cyber Incident Victim: DraftKings
Date:
Nov 2022
Location:
United States of America
Summary
A credential stuffing attack targeted DraftKings, resulting in unauthorized access to customer accounts and losses nearing $300,000. Attackers exploited credentials compromised from other platforms to hijack accounts, altering passwords and enabling two-factor authentication under their control before draining funds from linked bank accounts. The company confirmed no breach of its own systems, attributing the incident to reused credentials, and committed to reimbursing affected users. This event highlighted broader risks of credential stuffing, where automated tools leverage stolen login pairs to compromise accounts across services, often leading to financial theft or identity fraud. Industry reports indicate such attacks represent a significant portion of authentication traffic, driven by widespread password reuse and accessible leaked credential databases.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 1 technique |
| Threat Actors | Type | Location |
|---|---|---|
| 0 actors | Available to members | Available to members |
Description
On November 21, 2022, DraftKings publicly addressed a credential stuffing attack affecting customer accounts after users reported unauthorized access via social media. The company initiated an investigation following early Monday morning tweets from customers experiencing account issues, with some victims observing repeated unauthorized withdrawals from linked bank accounts while unable to contact customer support. Attackers compromised accounts by using credentials previously exposed through other online services, initiating a $5 deposit before changing account passwords and enabling two-factor authentication with attacker-controlled phone numbers. This allowed threat actors to bypass security measures and drain funds, with total losses estimated at less than $300,000 across affected accounts. DraftKings confirmed no evidence of a direct breach of its own systems, attributing the compromise solely to credential reuse across multiple platforms by customers.
DraftKings President and Cofounder Paul Liberman stated the company would fully reimburse impacted customers within 12 hours of acknowledging the incident. The organization advised users to enable two-factor authentication, remove banking details from accounts, and avoid password reuse across services. The attack exemplified credential stuffing tactics where automated tools test stolen credentials from third-party breaches against target accounts, leveraging password reuse vulnerabilities. As noted in the incident, attackers monetized compromised accounts through direct financial theft rather than data resale, transferring funds to accounts under their control. The FBI and Okta had previously documented rising credential stuffing volumes, with Okta reporting 10 billion such events in Q1 2022 alone, representing 34% of all authentication traffic on its platform during that period. DraftKings’ public response focused on customer reimbursement and security hygiene recommendations without disclosing technical detection or containment measures beyond account restoration.