DraftKings is notifying users of a recent credential stuffing campaign targeting their online accounts.

The attacks, the company says in a notification letter to the impacted users, were discovered on September 2, and relied on credentials harvested from other sources to log into users’ accounts.

“By stealing login credentials from a non-DraftKings source and using them in this attack, the bad actor may have temporarily been able to log into certain DraftKings customers’ account,” reads a copy of the notification letter that was submitted to the Massachusetts OCABR.

The attackers likely accessed users’ names, addresses, email addresses, phone numbers, dates of birth, profile photos, the last four digits of payment cards, transaction information, account balances, and details on when passwords were last changed.

“Importantly, our investigation to date has observed no evidence that your login credentials were obtained from DraftKings or that DraftKings’ computer systems or networks were breached as part of this incident,” the company says.

DraftKings also notes that it has no evidence that information such as government-issued ID numbers, financial account numbers, or other sensitive information was compromised in the attack.