A 19-year-old known online as 'Snoopy' has been sentenced to 18 months in federal prison for his role in a credential stuffing attack that drained roughly $600,000 from DraftKings customer accounts in 2022. The case wrapped up in mid-2026 and made headlines — but the more important story isn't about one young hacker facing consequences. It's about the method he used, because credential stuffing attacks are targeting businesses of every size, and most small and medium businesses have no idea they're already exposed.
What Is a Credential Stuffing Attack and Why Should SMBs Care?
Credential stuffing is not hacking in the Hollywood sense. There's no dramatic code-cracking or firewall bypassing. Instead, attackers take large lists of usernames and passwords — stolen from previous data breaches and sold on dark web markets — and automatically try them against other websites and applications. When someone reuses the same password across multiple accounts, which most people do, the attacker gets in.
In the DraftKings case, the attackers didn't breach DraftKings directly. They used credentials that had already been leaked elsewhere, tested them at scale, and found accounts where users had recycled their passwords. The platform itself wasn't the original weak point. Its customers were.
This is exactly the threat model that many SMB owners underestimate. Your business might never suffer a direct intrusion, but if your employees or customers are reusing passwords that appear in breach databases or infostealer dumps circulating on the dark web, your systems are effectively unlocked and waiting.
The Credential Pipeline: From Data Breach to Your Business
To understand why this matters for your company, it helps to follow the path stolen credentials travel. When a large platform is breached, the stolen data doesn't disappear. It gets packaged and sold on dark web marketplaces, shared in private Telegram channels, and eventually absorbed into massive combo lists — files containing millions of email and password pairs, ready to be tested against any login page.
Infostealers add another layer. These are pieces of malware that silently harvest saved passwords from browsers and applications on infected computers. A single infected employee laptop can leak credentials for your business email, your accounting software, your cloud storage, and your payment processor — all at once. Those credentials then flow into the same dark web ecosystem within hours.
Snoopy and his associates were operating at the consumer end of this pipeline. But the same infrastructure, the same credential lists, and the same automated testing tools are pointed at business login portals every single day.
Why an 18-Month Sentence Won't Stop the Next Attack
The prosecution of 'Snoopy' is a legitimate win for law enforcement, and the case demonstrates that federal authorities are increasingly willing to pursue cybercrime charges even against younger offenders. That matters for deterrence in the long run.
But deterrence has limits. Credential stuffing attacks are largely automated. Tools to run them are cheap and widely available. Breach data is abundant. The attackers operating at scale are often overseas and effectively beyond reach of US prosecution. One conviction doesn't drain the ecosystem that makes these attacks possible.
For SMBs, this means the responsible posture is not to wait for law enforcement to solve the problem. It's to take practical steps to know what's already out in the open about your business before an attacker exploits it.
How to Know If Your Business Is Already Exposed
The first step is visibility. Most SMB owners don't know which of their employees' credentials have appeared in breach databases, which company domains are associated with leaked data, or whether any internal credentials are sitting in infostealer logs being traded right now. That's not negligence — it's just the reality of running a business where cybersecurity isn't your core job.
Breachrr was built to close that visibility gap. We continuously monitor breach databases, infostealer dumps, dark web markets, public code repositories, and domain infrastructure for signs that your business data has been exposed. When we find something, we tell you clearly and quickly — no technical expertise required to understand the results.
The DraftKings case is a reminder that credential stuffing attacks have real victims and real financial consequences. If you're running a business in 2026, the question isn't whether your credentials have ever appeared in a breach. The question is whether you know about it. Run a free audit at breachrr.com/audit and find out exactly where your business stands.
Want to see if your company is exposed?