Customers of the FanDuel sportsbook and betting platform are being cautioned that their names and email addresses were made public due to a security breach at MailChimp in January 2023. Users are advised to be on the lookout for phishing emails.
MailChimp announced a compromise on January 13th after hackers used a social engineering effort to get an employee’s login information. One hundred thirty-three customers’ “audience data” was taken by the threat actors who used these credentials to get access to an internal MailChimp customer assistance and management tool. The names and email addresses of current or future customers are frequently included in this audience data, which varies depending on the MailChimp customer.
Customers were informed via email last Thursday by FanDuel that threat actors obtained their names and email addresses due to the MailChimp hack.
“Recently, we were informed by a third-party technology vendor that sends transactional emails on behalf of its clients like FanDuel that they had experienced a security breach within their system that impacted several of their clients,” reads a FanDuel ‘Notice of Third-Party Vendor Security Incident.’ “On Sunday evening, the vendor confirmed that FanDuel customer names and email addresses were acquired by an unauthorized actor. No customer passwords, financial account information, or other personal information was acquired in this incident.”
FanDuel further emphasized that this was neither a breach of their systems nor of FanDuel user accounts and that “the hackers did not obtain passwords, bank account information, or other personal information” due to the incident. Although the compromised third-party vendor was not identified in the security issue letter, FanDuel has confirmed that it was MailChimp.
Following the recent data breach, FanDuel advises users to “remain vigilant” against phishing scams and attempted account takeovers. The business said it’ll never email clients directly and ask for personal information to resolve a problem. FanDuel further cautions users not to click on links in attempted password resets that they did not initiate and to update their passwords regularly. It also advises users to enable multi-factor authentication (MFA) on their accounts.
No evidence suggests that the stolen MailChimp data is being exploited in attacks. However, threat actors have previously used this kind of stolen data for phishing schemes. Threat actors were able to obtain the Trezor hardware wallet’s marketing email data in April 2022, thanks to a MailChimp security flaw. This information was subsequently employed in a phishing effort that distributed malicious software to steal bitcoin wallets by impersonating fake data breach alerts.
Additionally, there is a considerable demand for FanDuel accounts, and threat actors are actively using credential-stuffing attempts to get into users’ accounts [1, 2, 3]. Depending on the account’s size or associated payment information, these accounts can be purchased for as low as $2 on cybercrime markets. Even if a threat actor manages to get a customer’s credentials, stealing accounts will be far more challenging if MFA is enabled on a FanDuel account via an authentication app.
Using the same login information at FanDuel as other websites results in numerous account compromises. Threat actors then attempt to get into accounts at other websites using these credentials. Using a password manager and creating unique passwords for each website is essential to prevent a breach at one firm from harming you at another.