The incident, initially disclosed in November, was the result of a credential stuffing attack and not a breach of DraftKings’ systems, the company says.
Credential stuffing involves the use of leaked credentials (usernames, email addresses, and passwords) obtained from a third-party source to access an account on a different service. Such attacks are successful only because some individuals use the same credentials for accounts on different services.