The FanDuel sportsbook and betting site is warning customers that their names and email addresses were exposed in a January 2023 MailChimp security breach, and is urging users to be wary of phishing emails.
On January 13, MailChimp confirmed it suffered a breach after hackers stole an employee’s credentials using a social engineering attack.
Using these credentials, the threat actors accessed an internal MailChimp customer support and management tool to steal the “audience data” of 133 customers.
This audience data is different for each MailChimp customer, but commonly includes email addresses and names of customers or prospects used to send marketing emails.
Last Thursday, FanDuel sent an email to customers to warn them that the threat actors acquired their names and email addresses during the MailChimp breach.
“Recently, we were informed by a third-party technology vendor that sends transactional emails on behalf of its customers such as FanDuel that they had experienced a security breach in their system that affected several of their customers,” reads a FanDuel ‘Notice of Third-Party Vendor Security Incident’ seen by BleepingComputer.
“On Sunday evening, the seller confirmed that FanDuel customer names and email addresses were acquired by an unauthorized actor. No customer passwords, financial account information or other personal information was acquired in this incident.”
FanDuel also emphasized that this was not a breach of its systems or FanDuel user accounts, and that the hackers did not acquire “passwords, financial account information or other personal information” during the breach.
While the security incident notification did not name the third-party vendor that was breached, FanDuel confirmed to BleepingComputer that the third-party vendor was MailChimp.
FanDuel is urging customers to “remain vigilant” against phishing attacks and account takeover attempts after their data was exposed in this recent breach.
“Remain alert to email ‘phishing’ attempts claiming a problem with your FanDuel account that requires providing personal or private information to resolve the problem,” warns the FanDuel security incident email.
“FanDuel will never email customers directly and request personal information to resolve a problem.”
FanDuel also cautions customers to update their passwords frequently, enable multi-factor authentication (MFA) on their accounts, and not click on links in password reset attempts that a customer has not initiated.
While there is no indication that the stolen MailChimp data is being used in attacks, threat actors have misused this type of stolen data in previous phishing campaigns.
In April 2022, a MailChimp breach allowed threat actors to steal marketing email data for the Trezor hardware wallet.
This data was then used in a phishing campaign pretending to be fake data breach notifications that pushed malicious software to steal cryptocurrency wallets.
Furthermore, FanDuel accounts are in high demand, with threat actors actively conducting credential stuffing attacks to hack customers’ accounts [1, 2, 3].
These accounts are sold on cybercrime marketplaces for as little as $2, depending on an account’s balance or associated payment information.
Enabling MFA on a FanDuel account using an authentication app will make it much more difficult for accounts to be stolen even if a threat actor gains access to a customer’s credentials.
Many account compromises are caused by using the same credentials at FanDuel as other sites then suffer data breaches. Threat actors then use these credentials to attempt to log into accounts on other websites.
For this reason, it’s critical to use a password manager and create unique passwords on each site to prevent a breach at one company from affecting you at another.