Neary 68,000 DraftKings users were impacted by a cyberattack in November that lasted for weeks and resulted in approximately $300,000 in unauthorized transactions, according to a filing posted Friday with the Maine Attorney General.
The attack, which also targeted FanDuel customers, was deemed a "credential stuffing attack," in which hackers, armed with login credentials like email addresses, usernames and passwords -- often obtained from third-party sources -- gain access to user accounts.
DraftKings notified impacted customers that the attackers could have viewed the user's name, address, phone number, email address, last four digits of payment card, profile photo, information about prior transactions, account balances and the last date of password change.
"At this time, there is currently no evidence that the attackers accessed your Social Security number, driver's license number or financial account number," DraftKings wrote in a notification to customers on Dec. 16. "While bad actors may have viewed the last four digits of your payment card, your full payment card number, expiration date, and your CVV are not stored in your account. Therefore, the bad actors were not able to view this information."
The attack began Nov. 18, right as the World Cup was kicking off, and continued for weeks, overwhelming customer service teams at DraftKings and FanDuel. The attack was escalated to the FBI, according to an industry source. The FBI declined comment when contacted by ESPN.
Some of the 67,995 impacted users at DraftKings had unauthorized withdrawals made from their personal bank accounts. Some FanDuel users who were compromised also had unauthorized withdrawals.
"In compliance with applicable state laws, DraftKings provided formal notice of the credential stuffing attacks to certain customers in jurisdictions where required to do so," a DraftKings spokesperson said in a statement. "As we stated previously, bad actors were able to use login credentials obtained from an unknown third-party source to gain access to some user accounts. DraftKings has restored amounts for all users whom we have determined had funds improperly withdrawn from their accounts. Our investigation to date has uncovered no evidence that user login credentials were obtained from DraftKings."
FanDuel has not yet disclosed the number of sports betting and fantasy sports accounts that were impacted.
ESPN has a business partnership with DraftKings, and The Walt Disney Company, ESPN's parent company, owns stock in DraftKings.