DraftKings Hacker Sentenced After Credential‑Stuffing Attack Compromises 60,000 Accounts
What Happened — A 21‑year‑old hacker known as “Snoopy” was sentenced to 18 months in prison for his role in the November 2022 breach of DraftKings. The attackers used credential‑stuffing techniques to compromise roughly 60 k user accounts, added fraudulent payment methods to 1 600 of them, and siphoned about $600 k.
Why It Matters for Compliance & Audit Readiness
- Credential‑stuffing exploits weak or reused passwords – a direct failure of SOC 2 CC6.1 (Logical Access) controls.
- Continuous monitoring of login anomalies and MFA enforcement are required to produce defensible audit evidence.
- Mapping this incident to your SOC 2 access‑control policies demonstrates due‑diligence and helps close gaps before regulators or partners raise concerns.
Who Is Affected — Online gaming and sports‑betting platforms, fintech services that store payment credentials, and any SaaS provider handling consumer accounts.
Recommended Actions
- Enforce strong password policies and mandatory multi‑factor authentication for all user logins.
- Deploy real‑time credential‑stuffing detection and automated lock‑out mechanisms.
- Align your logical‑access controls with SOC 2 CC6.1, collect logs as audit evidence, and run periodic access‑control assessments.
Technical Notes — The attack vector was credential stuffing using previously leaked or reused passwords. Compromised data included usernames, email addresses, hashed passwords, and linked payment methods. Source: BleepingComputer