The NBA (National Basketball Association) is notifying fans of a data breach after some of their personal information, “held” by a third-party newsletter service, was stolen.
The NBA is a global sports and media organization that manages five professional sports leagues, including the NBA, WNBA, Basketball Africa League, NBA G League, and NBA 2K League.
NBA programming and games are broadcasted worldwide, in over 215 countries and territories, spanning over 50 languages.
In “Notice of Cybersecurity Incident” emails sent to an unknown number of fans, NBA says its systems were not breached, and the affected fans’ credentials were not impacted in this incident. However, some fans’ personal information was stolen.
“We recently became aware that an unauthorized third party gained access to, and obtained a copy of, your name and email address, which was held by a third-party service provider that helps us communicate via email with fans who have shared this information with the NBA,” the NBA says.
“There is no indication that our systems, your username, password, or any other information you have shared with us have been impacted.”
After being informed of the incident, the NBA is working with the third-party service provider as part of an ongoing investigation and has hired the services of external cybersecurity experts to analyze the scope of the impact.
Fans warned to watch out for phishing attacks
The NBA also warned that, due to the sensitive nature of the data involved, there is an increased likelihood that the affected individuals might be targeted in phishing attacks and various scams.
Affected fans were strongly encouraged to remain vigilant when opening suspicious emails or communications that may seem to originate from the NBA or its partners.
“Given the nature of the information, there may be heightened risk of you receiving ‘phishing’ emails from email accounts appearing to be affiliated with the NBA, or of being targeted by other so-called ‘social engineering’ attacks (where an individual seeks to trick the target into sharing confidential information or otherwise taking actions contrary to his or her own interest,” the NBA said.
The notification emails add that the NBA will never request the fans’ account information, including usernames or passwords, via email.
Affected fans are also advised to verify that received emails are sent from a legitimate “@nba.com” email address, to check that embedded links point to a trusted website, and never open email attachments they don’t expect to receive.
An NBA spokesperson was not available for comment when contacted by BleepingComputer earlier today.