FanDuel is sending out emails to customers letting them know of a security incident that compromised certain private details. According to the email, which we received first-hand, the security breach occurred at a third-party vendor that sends out transactional emails on behalf of its clients like FanDuel. So it wasn't FanDuel that dropped the ball, at least not directly.
The good news is this could have been a lot worse (like when hackers
pilfered $300K from DraftKings two months ago). FanDuel says the unauthorized actor (hacker) did not procure any customer passwords, financial account information, or personal information other than names and email addresses. The bad news is that having access to names and details gives bad actors an edge in perpetrating
phishing scams.
This is something FanDuel warns in its email, with one of its bits of advice being to "remain vigilant against email 'phishing' attempts claiming an issue with your FanDuel account that requires providing personal or private information to resolve the problem." FanDuel reminds users that it will never email customers directly to request personal information to resolve an issue.
"Watch out for any attempted password resets for your account at FanDuel or elsewhere that you didn’t initiate. If you receive one you did not ask for, avoid clicking on any links in the email and make sure your email provider password is secure, and not one that has been reused or compromised in a data breach," FanDuel warns in its email.
FanDuel also advises customers to frequently update their passwords and to avoid using the same one for multiple sites (computer security 101, really), though its best bit of advice is to take advantage of the service's multi-factor authentication for an added layer of protection.
How To Enable Multi-Factor Authentication In FanDuel
To enable MFA, click on Account in the lower-right corner of the app, then navigate to Account settings > two-factor authentication and follow the instructions. You can also find an option to "log out everywhere" in this same settings page.
You should absolutely do this. According to the folks at
Bleeping Computer, FanDuel accounts are in high demand and are commonly sold on underground marketplaces, in some cases for as cheap as $2. The site also said it confirmed with FanDuel that the third-party vendor referenced in the email is MailChimp, a popular marketing automation and email marketing service.
Earlier this month, MailChimp disclosed a security incident in which a hacker conducted a social engineering attack on its employees to gain access to 133 accounts. In addition to FanDuel, some other affected clients include WooCoomerce, Solana Foundation, and Yuga Labs.