FanDuel says user data possibly stolen in recent MailChimp breach

Sensitive data belonging to the FanDuel users was compromised in the recent MailChimp data breach, the of sports betting site has told customers.

An email sent to FanDuel customers confirmed their full names and email addresses were accessed as a consequence of the MailChimp cyberattack, and warning them to stay vigilant against potential phishing attacks. 

“Recently, we were informed by a third-party technology vendor that sends transactional emails on behalf of its clients like FanDuel that they had experienced a security breach within their system that impacted several of their clients,” BleepingComputer cited a FanDuel ‘Notice of Third-Party Vendor Security Incident’. 

Passwords are safe

“On Sunday evening, the vendor confirmed that FanDuel customer names and email addresses were acquired by an unauthorized actor. No customer passwords, financial account information, or other personal information was acquired in this incident.”

While FanDuel didn’t name the vendor in the notification, it later confirmed to media that it was referring to MailChimp.

The company also added that as this wasn’t a breach of its own internal systems, sensitive information including “passwords, financial account information, or other personal information” was not accessed. 

While just getting people’s names and emails might not be much, it’s enough for a phishing attack which could be more devastating, and could result in people losing access to valuable accounts, private data, and possibly even money from their devices and endpoints. Now, FanDuel is warning its users to keep both eyes open:

“Remain vigilant against email “phishing” attempts claiming an issue with your FanDuel account that requires providing personal or private information to resolve the problem,” the notification further claims. “FanDuel will never email customers directly and request personal information to resolve an issue.”

FanDuel also urged its customers to regularly update their passwords, and to make sure those passwords are strong and not used on other platforms at the same time. Furthermore, it told everyone to activate multi-factor authentication (MFA) if they hand’t already done so.

Via: BleepingComputer