Super Bowl Betting Under Attack: Weak Security Puts Users & Winnings at Risk

As the Super Bowl approaches, betting websites are experiencing a surge in traffic, attracting not just enthusiastic bettors but also malicious actors looking to exploit security gaps. Major spikes in user activity present a prime opportunity for automated attacks, as fraudsters deploy bots to hijack accounts, steal winnings, and manipulate bets at scale.

DataDome’s latest research reveals that top US betting and gambling platforms lack sufficient bot protection, exposing users to credential stuffing attacks that compromise personal and financial data, as well as mass account creation schemes that facilitate fraud and abuse.

Without stronger security measures, these vulnerabilities could lead to significant financial losses for both users and operators, eroding trust in online betting platforms during one of the biggest gambling events of the year.

Security assessment of betting sites

DataDome conducted an assessment of account creation and login flows on five leading betting platforms. The tests were conducted using an open-source bot framework without custom configuration, indicating that attackers using more advanced techniques could inflict even greater damage.

Our tests show a complete lack of defenses against basic automation techniques:

• 100% of the sites allowed automated login or account creation attempts; DataDome researchers were able to login and create accounts very easily on each site.
• No CAPTCHAs were triggered, even on websites claiming to use reCAPTCHA.
• Only one website implements rate limiting on the login endpoint to deter credential stuffing, but the restriction is easily bypassed. Researchers successfully executed multiple consecutive login attempts, effectively simulating a small-scale credential stuffing attack.
• None of the sites required email validation before permitting account access.
• Only one website uses Multi-Factor Authentication (MFA), which can easily be managed with a pool of valid emails/phone numbers.

• Weak authentication measures left platforms vulnerable to exploitation through simple tactics:

  • DataDome researchers were able to create accounts using temporary email services, Gmail dot technique, and alias tricks.

Implications & risks

• Credential stuffing: Attackers can steal personal data as well as money, promotions, or simply cause havoc by changing or placing random bets on behalf of the real user.

• Mass account creation: Attackers can create and resell fake accounts, which may be leveraged in future attacks if the platforms implement stricter defenses.

Recommendations

The financial risks are significant, as high-value bets can lead to substantial payouts. Protecting users from fraud and unauthorized access should be a priority for betting platforms. Strengthening security measures can help mitigate these risks and safeguard both user funds and platform integrity.

Platforms:

• At the very least, implement a basic layer of defense: Implementing even a basic layer of defense is crucial to preventing automated attacks. For platforms without any bot mitigation, enforcing CAPTCHA on key user actions like login and account creation would be a strong first step.
• Advanced bot protection: Transition from basic CAPTCHA systems to more sophisticated bot management solutions that provide real-time detection and mitigation of automated threats . This will help prevent bot attacks at every stage of the user journey.
• Strengthen registration processes: Enforce email validation or OTP verification during account creation and login, and deploy robust MFA to secure user accounts.
• Educate users: Encourage users to enable security features (if available) and monitor their accounts for suspicious activities.

Users:

• Users can shore up their account protection by using a unique and strong password generated using a password manager, either a dedicated one like Bitwarden or Dashlane, or the one from their browser. Credential stuffing attacks work because people reuse the same email/password across different websites/applications. Thus, if one of these services gets breached, attackers can try to reuse passwords from this leak on (an)other website(s).

Conclusion

With high financial stakes and an increasing number of automated threats, betting websites must extend their security measures beyond payment fraud protection to safeguard user accounts and platform integrity. Attackers are actively exploiting weak defenses, using bots to hijack accounts, steal winnings, and create fake profiles that can later be resold or used for further fraud.

The ease with which these attacks can be executed—often with readily available, off-the-shelf tools—underscores the urgency for platforms to strengthen their defenses. Without immediate action, users risk losing their personal and financial information, while businesses face financial losses, reputational damage, and potential regulatory scrutiny. Strengthening authentication processes, implementing robust bot detection, and enforcing stricter account validation practices are essential steps to prevent these escalating threats.