Credential Stuffing Attack Compromises 68,000 DraftKings Accounts, Hacker Sentenced to 30 Months
What Happened – In November 2022 a credential‑stuffing campaign against DraftKings leveraged stolen usernames and passwords purchased on dark‑web markets. Approximately 68 000 user accounts were compromised, allowing the attacker to add payment methods, fund them, and withdraw balances. The primary perpetrator, Kamerin Stokes, was sentenced on April 17 2026 to 30 months in prison, three years of supervised release, $125 K forfeiture and $1.3 M restitution.
Why It Matters for TPRM –
- Credential reuse across consumer‑facing platforms creates a high‑impact supply‑chain risk for partners that integrate with DraftKings.
- Financial loss to end‑users demonstrates the need for robust fraud‑prevention controls in any downstream service.
- The sentencing underscores law‑enforcement focus on credential‑stuffing operations, raising the threat profile for similar vendors.
Who Is Affected – Online gambling, fantasy‑sports, and broader financial‑services ecosystems that rely on DraftKings APIs or share user authentication data.
Recommended Actions –
- Review any third‑party contracts with DraftKings for security clauses covering credential‑reuse mitigation.
- Verify that your organization enforces multi‑factor authentication (MFA) and password‑hashing best practices for any DraftKings‑related integrations.
- Conduct a risk assessment of downstream services that may inherit compromised DraftKings credentials.
Technical Notes –
- Attack Vector: Credential stuffing using stolen username/password pairs (large‑scale credential reuse).
- Data Types Exfiltrated: Usernames, email addresses, hashed passwords, payment‑method tokens, and account balances.
- Impact: Direct monetary theft from compromised accounts; no public disclosure of a software vulnerability.
Source: SecurityAffairs – DraftKings hacker sentenced to prison, ordered to pay $1.4 M