Basketball fans interested in getting regular email updates from the NBA may have had some of their personal data stolen, the body has confirmed.
The NBA has sent out a “Notice of cybersecurity incident” to an “unknown number” of fans, BleepingComputer reported.
In the notice, the organization said that some fans who were signed up for email marketing services such as newsletters may have had their names and emails taken by an unknown threat actor. This data was kept by a third party newsletter service tasked with sending out email notifications and news.
Passwords are safe
“We recently became aware that an unauthorized third party gained access to, and obtained a copy of, your name and email address, which was held by a third-party service provider that helps us communicate via email with fans who have shared this information with the NBA,” the NBA said.
Other data remains secure, the organization added: “There is no indication that our systems, your username, password, or any other information you have shared with us have been impacted.”
This information suggests it was clearly a supply-chain attack, however, the NBA did not say who the targeted third party is, nor how it was breached.
It did warn its users that whoever obtained this data can now use it in phishing and identity theft (opens in new tab) attacks:
“Given the nature of the information, there may be heightened risk of you receiving ‘phishing’ emails from email accounts appearing to be affiliated with the NBA, or of being targeted by other so-called ‘social engineering’ attacks (where an individual seeks to trick the target into sharing confidential information or otherwise taking actions contrary to his or her own interest,” the NBA said.
The organization concluded the update by saying that the NBA will never ask its fans for any type of account information.
To be on the safe side, it added, fans are urged to be on the safe side whenever getting an email that seems to be from the NBA. They can do that by making sure the email was sent from an @NBA address, and that any links shared in the email point to a trusted website. Finally, fans are advised to never open email attachments they weren’t expecting to receive.
Via: BleepingComputer (opens in new tab)