Customers of the FanDuel sportsbook and betting platform are being cautioned that their identities and email addresses were made public due to a security breach at MailChimp in January 2023. Users are advised to be on the lookout for scam communications.
MailChimp announced a compromise on January 13th after hackers used a social engineering effort to get an employee’s login information.
133 clients’ “audience data” was taken by the threat actors. They used these credentials to access an internal MailChimp customer assistance and administration tool.
The names and email addresses of current or future customers are frequently included in this audience data, which varies depending on the MailChimp customer.
Customers were informed via email last Thursday by FanDuel that threat actors obtained their names and email addresses as a result of the MailChimp breach.
A notification of Third-Party Vendor Security Incident uncovered that a third-party technology vendor that sends email messages on behalf of its customers like FanDuel had a security breach within their system.”
“On Sunday night, the vendor acknowledged that unauthorized actors had obtained the FanDuel users’ identities and email addresses. In this instance, no customer passwords, financial account details, or other personal data were obtained.”
FanDuel further emphasized that this was neither a breach of their systems nor FanDuel user accounts. And the hackers did not obtain passwords, bank account information, or even other personal information” due to the breach.
Although the 3rd vendor that was compromised was not identified in the security incident letter, FanDuel verified that it was MailChimp.
Fanduel Recommends to Remain vigilant
Following the data breach, FanDuel advises users to “stay vigilant” against phishing scams and attempted account takeovers.
The FanDuel security incident email issues a warning: “Remain watchful about email “phishing” efforts stating there is a problem with your FanDuel account. This necessitates giving personal or private information to fix the issue.
“To fix a problem, it would never email clients directly and ask for personal information.”
FanDuel further cautions users to refrain from clicking on links they did not initiate and update their passwords regularly. It also advises users to install multi-factor authentication (MFA) on their accounts.
No evidence suggests that the stolen MailChimp information is being used in attacks. However, threat actors have previously exploited this kind of stolen data for phishing schemes.
Threat actors also obtained the Trezor hardware wallet’s marketing email data in April 2022, thanks to a MailChimp security flaw.
This information was subsequently utilized in a phishing campaign that distributed malicious software to steal bitcoin wallets by impersonating phoney data breach alerts.
Additionally, there is a huge demand for FanDuel accounts. And threat actors actively use credential-stuffing attempts to get into users’ accounts.
Depending on the size of the account or any associated payment information. These accounts can be purchased for as little as $2 on cybercrime marketplaces.
Even if a threat actor manages to get a customer’s credentials, stealing accounts will be far more challenging if MFA is enabled on a FanDuel account via an authentication app. Using the same login information at FanDuel as other websites results in numerous account compromises. Threat actors then attempt to log into accounts at other websites using these credentials. Using a password manager and creating unique passwords for each website is essential to avoid a breach.