FanDuel’s sportsbook and betting website is reminding customers that their email addresses and names were compromised in the January 2023 MailChimp security attack. Users are urged to be vigilant and avoid phishing emails.
on January 13th. This was after hackers used social engineering to steal credentials from an employee.
These credentials were used by the threat actors to access an internal MailChimp customer service and administration tool in order to steal “audience information” from 133 customers.
Although each MailChimp customer has their own audience, this data often contains email addresses or names of potential customers that can be used for marketing purposes.
FanDuel sent customers an email last Thursday to inform them of the fact that threat actors had obtained their email addresses and names during the MailChimp hack.
BleepingComputer has a FanDuel “Notice of Third Party Vendor Security Incident” that reads, “Recently we were informed that an outside vendor sends transactional email on behalf of clients such as FanDuel about a security breach in their system which impacted several of them.”
On Sunday night, the vendor verified that FanDuel email addresses and customer names were obtained by an unidentified actor. This incident did not involve the acquisition of customer passwords or financial account information.
FanDuel stressed also that it was not an attack on their system or FanDuel users accounts, and that hackers didn’t acquire passwords, financial account information or any other personal information during the breach.
Although the security incident notification didn’t name the third party vendor, FanDuel told BleepingComputer the vendor in question was MailChimp.
FanDuel advises its customers to be vigilant against any phishing attempts and account takeovers following the recent data breach.
The FanDuel security incident emails warns that email “phishing” can be used to claim an issue in your FanDuel Account and requires you to provide personal or confidential information.
FanDuel won’t email customers to request information or contact them directly.
FanDuel warns customers that they should update passwords often, and to not click links in password reset attempts that were not initiated by a customer.
Although there are no signs that stolen MailChimp data has been used for attacks, threats actors may have used this data to launch phishing campaigns in the past.
A MailChimp security breach in April 2022 allowed threats actors to access marketing data from Trezor’s hardware wallet.
The data was used to create phishing campaigns claiming to be . This malicious software was used to steal cryptocurrency wallets.
FanDuel accounts also are highly sought-after, and threat actors regularly perform credential-stuffing attack to hack customer accounts [ 2, ], ].
Cybercrime marketplaces sell these accounts for as low as $2 depending on the account’s balance and linked payment information.
MFA can be enabled on FanDuel accounts using authentication apps. This will make it harder to steal an account, even if someone is able to access the credentials of a customer.
FanDuel’s same passwords can lead to many account breaches. These credentials are used by threat actors to try to login to other accounts.
To prevent data breaches at different companies, a password manager is essential.