FanDuel gamblers warned of phishing threat after data breach at Mailchimp

Graham Cluley
Graham Cluley
@[email protected]

FanDuel gamblers warned of phishing threat after data breach at Mailchimp

The important thing to realise about the (most recently) reported data breach at email newsletter service Mailchimp is that it’s not just Mailchimp’s customer data that was put at risk.

Even if you’re not personally a customer of Mailchimp, even if you’ve never even heard of Mailchimp, you may be affected.

That’s a realisation that should be dawning on customers of sportsbook and betting website FanDuel, as they receive warnings that their names and email addresses were exposed earlier this month.

Part of the email FanDuel sent to customers
Part of the email FanDuel sent to customers

Part of the email reads as follows:

Recently, we were informed by a third-party technology vendor that sends transactional emails on behalf of its clients like FanDuel that they had experienced a security breach within their system that impacted several of their clients. On Sunday evening, the vendor confirmed that FanDuel customer names and email addresses were acquired by an unauthorized actor. No customer passwords, financial account information, or other personal information was acquired in this incident.

Although none of your personal information beyond your name and email address were implicated, it is a good moment to remind you that we encourage every customer to take four important steps to help safeguard your FanDuel account and maintain your play safely and securely…

It’s not really accurate for anyone to claim that FanDuel has been hacked. Instead, FanDuel – like many other companies – outsourced its newsletter management to Mailchimp. That meant FanDuel the responsibility of handle its newsletter subscriber database and sending out emails on its behalf to Mailchimp.

Which is all fine and dandy if Mailchimp does a good job of sending out the emails, and securing those subscriber details.

Unfortunately, Mailchimp didn’t do that (and not for the first time, either…).

Which is why FanDuel has found itself in the embarrassing position of contacting customers who were exposed by the breach, and warning them that even though passwords, financial information, and the like were not exposed… names and email addresses are now in the hands of cybercriminals.

And those criminals could, if they wished, create convincing-looking phishing emails that might attempt to trick unsuspecting users into revealing more information – such as their passwords, for instance.

Sign up to our free newsletter.
Security news, advice, and tips.

I would recommend that FanDuel customers be on their guard, and – if they haven’t already done so – enable two-factor authentication (2FA) on their FanDuel accounts.

I would imagine that FanDuel, and other companies affected by Mailchimp’s data breach, are pretty upset right now about the damage that has been done to their reputation by Mailchimp’s sloppy security.

It was kind of FanDuel, in its notification to affected customers, not to mention that Mailchimp was the company which let the side down.

But it was Mailchimp.

So now you know.

Graham Cluley is an award-winning keynote speaker who has given presentations around the world about cybersecurity, hackers, and online privacy. A veteran of the computer security industry since the early 1990s, he wrote the first ever version of Dr Solomon's Anti-Virus Toolkit for Windows, makes regular media appearances, and is the co-host of the popular "Smashing Security" podcast. Follow him on Twitter, Mastodon, Threads, Bluesky, or drop him an email.

What do you think? Leave a comment

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.