The National Basketball Association (NBA) has notified its fans they may be affected by a data breach in a third-party service the organization uses.
For now, it is safe to assume that the attacker only obtained names and email addresses, but the NBA has hired the services of external cybersecurity experts to analyze the scope of the impact.
The NBA is a global sports and media organization most famous for its annual mens basketball league in the USA. The organization is actually built around five professional sports leagues: the NBA, WNBA, NBA G League, NBA 2K League and Basketball Africa League.
The NBA sent out emails to a number of its followers noting that while names and email addresses have been compromised, no other personally identifiable information was breached.
According to BleepingComputer the email read:
We recently became aware that an unauthorized third party gained access to, and obtained a copy of, your name and email address, which was held by a third-party service provider that helps us communicate via email with fans who have shared this information with the NBA.
The email also warned about possible phishing attempts appearing to come from organizations associated with the NBA or basketball in general. It urges fans to treat any links and attachments, even if they appear to come from a legitimate @nba.com email address, with extra caution.
We know that newsletter services are high on the target list of cybercriminals. In January of 2023, Mailchimp fell victim for the second time in a year to a social engineering attack. Getting your hands on a list of email addresses that share a common interest is a golden opportunity for scammers.
Data breach
There are some actions you can take if you are, or suspect you may have been, the victim of a data breach.
- Check the vendor's advice. Every breach is different, so check with the vendor to find out what's happened, and follow any specific advice they offer.
- Change your password. You can make a stolen password useless to thieves by changing it. Choose a strong password that you don't use for anything else. Better yet, let a password manager choose one for you.
- Enable two-factor authentication. Where possible, use a FIDO2 2FA device. Some forms of two-factor authentication (2FA) can be phished just as easily as a password. 2FA that relies on a FIDO2 device can’t be phished.
- Watch out for fake vendors. The thieves may contact you posing as the vendor. Check the vendor website to see if they are contacting victims, and verify any contacts using a different communication channel.
- Take your time. Phishing attacks often impersonate people or brands you know, and use themes that require urgent attention, such as missed deliveries, account suspensions, and security alerts.
Malwarebytes removes all remnants of ransomware and prevents you from getting reinfected. Want to learn more about how we can help protect your business? Get a free trial below.