Sportsbook and esports betting site FanDuel is warning customers that their names and email addresses were exposed during a MailChimp security breach in January 2023, urging users to remain vigilant against phishing emails.
January 13, MailChimp confirmed to have suffered a breach after hackers stole an employee’s credentials using a social engineering attack.
Using these credentials, the threat actors accessed an internal customer support and administration tool MailChimp to steal “audience data” from 133 customers.
This audience data is different for every MailChimp customer, but typically contains the email addresses and names of customers, or potential customers, that are used to send marketing emails.
Last Thursday, FanDuel sent an email to its customers warning them that the threat actors had acquired their names and email addresses in the MailChimp breach.
“Recently, we were informed by a third-party technology provider that sends transactional emails on behalf of its customers like FanDuel that they had experienced a security breach within their system which impacted several of their customers,” reads a FanDuel ‘Notice of Third-Party Vendor Security Incident’ seen by BleepingComputer.
“On Sunday evening, the vendor confirmed that FanDuel customer names and email addresses were acquired by an unauthorized actor. No customer passwords, financial account information, or other personal information was acquired during this incident.”
FanDuel also stressed that this was not a breach of their FanDuel systems or user accounts and that the hackers did not acquire “passwords, financial account information or other personal information” during the breach.
Although the security incident notification did not name the third-party provider that was hacked, FanDuel confirmed to BleepingComputer that the third-party provider was MailChimp.
FanDuel is urging customers to “remain vigilant” against phishing attacks and account takeover attempts after their data was exposed in this recent breach.
“Remain vigilant against ‘phishing’ email attempts claiming a problem with your FanDuel account that requires providing personal or private information to resolve the problem,” warns the FanDuel Security Incident email.
“FanDuel will never email customers directly and ask for personal information to resolve an issue.”
FanDuel also warns customers to update their passwords frequently, enable multi-factor authentication (MFA) on their accounts, and not click on links in password reset attempts that a customer has not initiated.
Although there are no indications that data stolen from MailChimp is being used in attacks, threat actors have abused this type of stolen data in previous phishing campaigns.
In April 2022, a MailChimp breach allowed threat actors to steal marketing email data from the Trezor hardware wallet.
This data was then used in a phishing campaign posing as fake data breach notifications which pushed malware to steal cryptocurrency wallets.
Additionally, FanDuel accounts are in high demand, with threat actors actively carrying out credential stuffing attacks to hijack customer accounts. [1, 2, 3].
These accounts are sold on cybercrime marketplaces for as little as $2, depending on account balance or linked payment information.
Enabling MFA on a FanDuel account using an authenticator app will make it much more difficult for accounts to be stolen, even if a malicious actor gains access to a customer’s credentials.
Many account compromises are caused by using the same credentials on FanDuel, as other sites then experience data breaches. Threat actors then use these credentials to attempt to log into accounts on other sites.
For this reason, using a password manager and creating unique passwords at each site is essential to prevent a breach at one company from affecting you at another.