FanDuel hit by data leak in MailChimp cyberattack

FanDuel has confirmed consumer details belonging to more than 100 account users were obtained by hackers in a recent data breach affecting email hosting site MailChimp.

MailChimp first reported a breach on January 13, with the email host site revealing hackers had targeted the firm in a so-called ‘social engineering’ attack, affecting employees and external contractors.

In these types of attacks, hackers aim to gain the trust of their targets with the aim of encouraging individuals to divulge personal information, click web links, or open attachments, which may be malicious in nature.

Using details stolen from a MailChimp employee hackers accessed an internal customer support and administration tool to pilfer ‘audience data’ for 133 MailChimp account holders.

This data, while different for each MailChimp customer, contains the names and email addresses of current and potential customers used for marketing purposes.

“After we identified evidence of an unauthorized actor, we temporarily suspended account access for Mailchimp accounts where we detected suspicious activity to protect our users’ data,” MailChimp’s incident report read.

All affected customers were notified within 24 hours of the breach being confirmed.

On January 19, FanDuel contacted its customers confirming that some accounts might be affected in an email entitled ‘Notice of Third-Party Vendor Security Incident’.

“Recently, we were informed by a third-party technology vendor that sends transactional emails on behalf of its clients like FanDuel that they had experienced a security breach within their system that impacted several of their clients,” the report, provided to EGR by FanDuel stated.

“On Sunday evening, the vendor confirmed that FanDuel customer names and email addresses were acquired by an unauthorized actor. No customer passwords, financial account information, or other personal information was acquired in this incident,” it assured.

While not explicitly named in the email, FanDuel confirmed to EGR the third-party vendor involved was MailChimp.

The email goes on to urge account holders to frequently update their passwords, as well as watching out for an uninitiated password reset notifications received.

“Remain vigilant against email “phishing” attempts claiming an issue with your FanDuel account that requires providing personal or private information to resolve the problem,” the email states.

“FanDuel will never email customers directly and request personal information to resolve an issue,” it adds.

The sportsbook and icasino operator has advised its customers to adopt twin-factor authentication, a method that is proving popular among operators as it requires customers to log in using two separate devices, with the second login coming via the input of a unique one-time code.

This method was encouraged by DraftKings following its own data breach by a so-called ‘credential stuffing’ attack, which exposed the details of 68,000 accounts, with more than $300,000 in customer funds being siphoned by hackers.

BetMGM and FanDuel users were also affected by this earlier attack.