FanDuel reveals data breach due to recent MailChimp hack

FanDuel’s sportsbook and betting website is reminding customers that their email addresses and names were compromised in the January 2023 MailChimp security attack. Users are urged to be vigilant and avoid phishing emails.

on January 13th. This was after hackers used social engineering to steal credentials from an employee.

These credentials were used by the threat actors to access an internal MailChimp customer service and administration tool in order to steal “audience information” from 133 customers.

Although each MailChimp customer has their own audience, this data often contains email addresses or names of potential customers that can be used for marketing purposes.

FanDuel sent customers an email last Thursday to inform them of the fact that threat actors had obtained their email addresses and names during the MailChimp hack.

BleepingComputer has a FanDuel “Notice of Third Party Vendor Security Incident” that reads, “Recently we were informed that an outside vendor sends transactional email on behalf of clients such as FanDuel about a security breach in their system which impacted several of them.”

On Sunday night, the vendor verified that FanDuel email addresses and customer names were purchased by an unknown actor. This incident did not involve the acquisition of customer passwords or financial account information.

FanDuel stressed also that it was not an attack on their system or FanDuel users accounts, and that hackers didn’t acquire passwords, financial account information or any other personal information during the breach.

Although the third party vendor breached was not named in the security incident notification, FanDuel told BleepingComputer by confirming that MailChimp was the vendor.

“Remain vigilant”

FanDuel advises its customers to be vigilant against any phishing attempts and account takeover attempts after recent breaches.

The FanDuel security incident emails warns that email “phishing” can be used to claim an issue in your FanDuel Account and requires you to provide personal or confidential information.

FanDuel won’t email customers to request information or contact them directly.

FanDuel warns customers that they should update passwords often, and to not click links in password reset attempts that were not initiated by a customer.

Although there are no signs that stolen MailChimp data has been used for attacks, threats actors may have used this data to launch phishing campaigns in the past.

A MailChimp security breach in April 2022 allowed threats actors to access marketing data from Trezor’s hardware wallet.

The data was used to create a fake and pushed malware to steal cryptocurrency wallets.

FanDuel accounts also are highly sought-after, and threat actors regularly perform credential-stuffing attack to hack customer accounts [ 2, 2, ], 3, ].

Cybercrime marketplaces sell these accounts for as low as $2 depending on the account’s balance and linked payment information.

MFA can be enabled on FanDuel accounts using authentication apps. This will make it harder to steal an account, even if someone is able to access the credentials of a customer.

FanDuel’s same passwords can lead to many account breaches. These credentials are used by threat actors to try to login to other accounts.

To prevent data breaches at different companies, a password manager is essential.