Customers of the FanDuel sportsbook and betting platform are being cautioned that their names and email addresses were made public due to a security breach at MailChimp in January 2023. Users are advised to be on the lookout for scam communications. MailChimp announced a compromise on January 13th after hackers used a social engineering effort to get an employee’s login information.
The threat actors took the customer data of 133 users, who used these credentials to access an internal MailChimp customer assistance and administration tool. The names and email addresses of current or future customers are frequently included in this audience data, which varies depending on the MailChimp customer.
Customers were informed via email last Thursday by FanDuel that threat actors obtained their names and email addresses as a result of the MailChimp breach. We recently learned of a security compromise in the system of a third-party technology provider that sends transactional emails on behalf of companies like FanDuel.
“On Sunday night, the vendor acknowledged that unauthorized actors had obtained the FanDuel users’ identities and email addresses. In this instance, no customer passwords, financial account details, or other personal data were obtained.”
FanDuel further emphasized that this was neither a breach of their systems nor of FanDuel user accounts and that “the hackers did not obtain passwords, financial account information, or other personal information” as a result of the breach. Although the compromised third-party vendor was not identified in the security incident letter, FanDuel verified to BleepingComputer that it was MailChimp.
FanDuel Cautions Users To Refrain From Clicking On Links
Following the current data breach, FanDuel advises users to “stay vigilant” against phishing scams and attempted account takeovers. The FanDuel security incident email issues a warning: “Remain watchful about email “phishing” efforts stating there is a problem with your FanDuel account that necessitates giving personal or private information to fix the issue.
“To fix a problem, FanDuel will never email clients directly and ask for personal information.” FanDuel further cautions users to refrain from clicking on links in attempted password resets that they did not initiate and to update their passwords regularly. It also advises users to install multi-factor authentication (MFA) on their accounts.
No evidence suggests that the stolen MailChimp data is being used in attacks; however, threat actors have previously exploited this kind of stolen data for phishing schemes. Threat actors were able to obtain the Trezor hardware wallet’s marketing email data in April 2022, thanks to a MailChimp security flaw.
This information was subsequently utilized in a phishing campaign that distributed malicious software to steal bitcoin wallets by impersonating fake data breach alerts. Additionally, there is a massive demand for sports betting accounts, and threat actors are actively using credential-stuffing attempts to get into users‘ accounts.
Depending on the size of the account or any associated payment information, these accounts can be purchased for little as $2 on cybercrime marketplaces. Even if a threat actor manages to get a customer’s credentials, stealing accounts will be far more challenging if {MFA} is enabled on a FanDuel account via an authentication app.
Using the same login information at FanDuel as other websites results in numerous account compromises. Threat actors then attempt to log into accounts at other websites using these credentials. To avoid a breach at one firm from harming you at another, it’s essential to use a password manager and create unique passwords for each website.
Staying Safe On Sports Betting Sites
The following are a few ways to stay safe using sports betting sites as it is now a huge concern for new and experienced users; remember them at all times.
- Verify SSL encryption.
SSL encryption is a layer of security that websites include to safeguard your passwords, personal information, and other sensitive data when you enter it on a website. This makes sure that your data cannot be accessed or intercepted by any online danger. You should therefore seek out and wager on websites that use SSL encryption.
- Regularly change your password.
One of the simplest proven ways to safeguard your online account on a betting site or any other website is to change your password frequently, but only a few people do this. This prevents internet dangers from accessing your account or hacking it, mainly if you use many devices.
- Make sure to use strong passwords.
These are passwords that include alphanumeric and unusual characters, and update your passwords frequently. This improves the security of your account. You may easily manage your several reports from different betting websites by using programs like LastPass or Google Password Manager to safely and conveniently order your passwords.
- Pay with safe methods.
It’s advisable to pay with a credit card or an e-wallet when placing a wager online to protect your transactions further. Using these payment options is safer and more secure because it protects your bank savings. In the event of fraud, you can easily cancel your credit card and use a smartphone to transfer the remaining balance from your e-wallet to your bank account. Additionally, if your credit card company has procedures in place, they can assist in recovering any monies that may have been taken. Your personal savings will at least remain secure in a breach.
- Avoid clicking or downloading dubious links.
Although this ought to be obvious, many shady online betting companies will pitch alluring deals, bonuses, or suggestions that seem exaggerated. Because of this, some gamblers, particularly novice gamblers, may click or download links they shouldn’t. These files might have malicious code that exposes your personal information and puts you in danger financially or personally.
Conclusion
FanDuel, a sports betting website, is alerting consumers to look out for phishing emails after discovering that their names and email addresses were disclosed in a MailChimp security breach in January 2023. MailChimp acknowledged a compromise on January 13th after hackers used a social engineering effort to get an employee’s login information. The customer data of 133 users was taken by the threat actors who used these credentials to gain access to an internal MailChimp administration and customer service tool. Each MailChimp customer’s audience data is unique, but it often includes the names and email addresses of the customers or potential customers who will receive marketing emails.
