Overview

• DraftKings began notifying customers after detecting suspicious logins on September 2 that matched credential stuffing patterns.
• The company told users an attacker may have viewed profile details, contact information, dates of birth, last four digits of payment cards, transaction history, balances, and password change dates.
• DraftKings reported no evidence that full financial account numbers or government ID numbers were accessed.
• Affected users are being required to reset passwords, and multifactor authentication is being enforced for DK Horse accounts.
• The number of impacted accounts was not disclosed, and notifications were filed with Massachusetts regulators as an investigation continues.