The FanDuel sportsbook and betting site is warning customers that their names and email addresses were exposed in a January 2023 MailChimp security breach, urging users to remain vigilant against phishing emails.
On January 13th, MailChimp confirmed they suffered a breach after hackers stole an employee’s credentials using a social engineering attack.
Using these credentials, the threat actors accessed an internal MailChimp customer support and administration tool to steal the “audience data” for 133 customers.
This audience data is different for each MailChimp customer but commonly contains the email addresses and names of customers, or potential customers, that are used to send marketing emails.
Last Thursday, FanDuel emailed customers to warn them that the threat actors acquired their names and email addresses during the MailChimp breach.
“Recently, we were informed by a third-party technology vendor that sends transactional emails on behalf of its clients like FanDuel that they had experienced a security breach within their system that impacted several of their clients,” reads a FanDuel ‘Notice of Third-Party Vendor Security Incident’ seen by BleepingComputer.
“On Sunday evening, the vendor confirmed that FanDuel customer names and email addresses were acquired by an unauthorized actor. No customer passwords, financial account information, or other personal information was acquired in this incident.”
FanDuel also stressed that this was not a breach of their systems or FanDuel user accounts and that the hackers did not acquire “passwords, financial account information, or other personal information” during the breach.
While the security incident notification did not name the third-party vendor that was breached, FanDuel confirmed to BleepingComputer that the third-party vendor was MailChimp.
“Remain vigilant”
FanDuel urges customers to “remain vigilant” against phishing attacks and attempted account takeovers after their data was exposed in this recent breach.
“Remain vigilant against email “phishing” attempts claiming an issue with your FanDuel account that requires providing personal or private information to resolve the problem,” warns the FanDuel security incident email.
“FanDuel will never email customers directly and request personal information to resolve an issue.”
FanDuel also warns customers to update their passwords frequently, enable multi-factor authentication (MFA) on their accounts, and not click on links in attempted password resets that a customer did not initiate.
While there is no indication that the stolen MailChimp data is being used in attacks, threat actors have abused this type of stolen data in past phishing campaigns.
In April 2022, a MailChimp breach allowed threat actors to steal the marketing email data for the Trezor hardware wallet.
This data was then used in a phishing campaign pretending to be fake data breach notifications that pushed malicious software to steal cryptocurrency wallets.
Furthermore, FanDuel accounts are in high demand, with threat actors actively performing credential-stuffing attacks to hack customers’ accounts [1, 2, 3].
These accounts are sold on cybercrime marketplaces for as little as $2, depending on an account’s balance or linked payment information.
Enabling MFA on a FanDuel account using an authentication app will make it much harder for accounts to be stolen, even if a threat actor gains access to a customer’s credentials.
Many account compromises are caused by using the same credentials at FanDuel as other sites then suffer data breaches. Threat actors then use these credentials to attempt to log in to accounts at other sites.
For this reason, using a password manager and creating unique passwords at every site is vital to prevent a breach at one company from affecting you at another.