Fallen DNA testing firm 23andMe won court approval of a bankruptcy plan that includes settlements to provide up to $62 million to resolve thousands of data breach claims. Judge Brian C. Walsh of the US Bankruptcy Court for the Eastern District of Missouri approved the plan in a Wednesday order, overruling most creditor objections and challenges from data breach victims. Many of those former customers’ objections were deemed moot or premature, and several of them didn’t appear at a court hearing on the plan. Objections from the Justice Department’s bankruptcy watchdog and a coalition of state attorneys general were resolved ...

DraftKings suffered a credential stuffing or brute-force attack on September 2, 2025, compromising customer accounts. While the company confirmed its systems were not directly breached, attackers used stolen credentials from external sources to access accounts. Exposed data included names, email addresses, phone numbers, dates of birth, last four digits of payment cards, profile photos, transaction histories, account balances, and password change dates—though DraftKings claimed no government-issued IDs, full financial details, or data enabling direct identity theft were accessed.The incident poses risks of financial fraud, targeted phishing, SIM-swap attacks, social engineering, and extortion, as the leaked information can be weaponized for follow-up attacks. DraftKings advised users to reset passwords, enable two-factor authentication (2FA), monitor credit reports, and consider security freezes. The attack highlights vulnerabilities in reused credentials and underscores the need for stronger authentication measures. No ransomware was involved, but the scale of exposed personal and financial fragments raises concerns over long-term misuse.

The Maine Office of the Attorney General reported a credential stuffing incident involving DraftKings Inc. on December 16, 2022. The breach began on November 18, 2022, affecting a total of 67,995 individuals, although only 125 are specifically identified as residents of Maine.

DraftKings, a leading American sports gambling company, detected and thwarted a credential stuffing attack on September 2, 2025. The attack involved unauthorized access to user accounts using stolen login credentials obtained from external breaches, not from DraftKings’ systems. While no evidence suggested a direct breach of DraftKings’ infrastructure or theft of highly sensitive data (e.g., full financial details, government-issued IDs, or data enabling identity theft), attackers may have temporarily accessed certain customer accounts.Potentially exposed information included names, addresses, dates of birth, phone numbers, email addresses, last four digits of payment cards, profile photos, transaction details, account balances, and password change dates. DraftKings responded by forcing password resets, enabling multifactor authentication (MFA) for affected accounts, and implementing additional technical safeguards. Users were notified and advised to secure their accounts. The company emphasized that no systemic breach occurred, and no critical financial or identification data was compromised. This incident follows a similar 2022 attack where 68,000 accounts were compromised via credential stuffing.

Two Connecticut Men Charged in $3M Online Gambling Fraud Scheme Using Stolen Identities Two Connecticut residents, 29-year-old Amitoj Kapoor and Siddharth Lillaney of Glastonbury, were arrested on Thursday after a federal grand jury indicted them on 45 counts related to a multi-year fraud scheme targeting online gambling platforms. The pair allegedly defrauded FanDuel, DraftKings, BetMGM, and other sites of $3 million using stolen personally identifiable information (PII) from approximately 3,000 victims. Between April 2021 and 2026, Kapoor and Lillaney purchased stolen PII including names, dates of birth, addresses, Social Security numbers, and contact details from darknet markets and Telegram. They then used this data to create thousands of fraudulent gambling accounts, leveraging background-check services like TruthFinder and BeenVerified to bypass verification processes. Kapoor maintained a spreadsheet, "Tracker.xlsx," to organize the stolen information, as evidenced by text messages discussing the use of reverse phone searches to match identities. The scheme exploited promotional bonuses offered to new users, allowing the defendants to place bets with stolen funds. When winnings were secured, they transferred the proceeds to virtual stored-value cards and then into personal bank and investment accounts. The indictment includes charges of conspiracy to commit wire and identity fraud, wire fraud (23 counts), identity fraud (8 counts), aggravated identity theft (2 counts), and money laundering (11 counts). If convicted, Kapoor and Lillaney face decades in prison, with aggravated identity theft carrying a mandatory two-year consecutive sentence. U.S. Attorney David X. Sullivan stated that the defendants "used thousands of stolen identities to open online gambling accounts and exploit new user incentives," while IRS Special Agent in Charge Thomas Demeo emphasized the "immeasurable hardship" caused to victims. Both were released on $300,000 bond pending trial.