The NBA (National Basketball Association) is notifying fans of a data breach after some of their personal information, “held” by a third-party newsletter service, was stolen.
The NBA is a global sports and media organization that governs five professional sports leagues, including the NBA, WNBA, Basketball Africa League, NBA G League, and NBA 2K League.
NBA programming and games are broadcast worldwide, in more than 215 countries and territories, spanning more than 50 languages.
In “Notice of Cybersecurity Incident” emails sent to an unknown number of fans, the NBA said its systems were not breached, and that the affected fan’s credentials were not affected in this incident. However, some fans’ personal information was stolen.
“We recently learned that an unauthorized third party gained access to, and obtained a copy of, your name and email address, held by a third-party service provider that helps us communicate via email to the fans who shared this information with the NBA,” the NBA said.
“There is no indication that our systems, your username, password, or any other information you shared with us were affected.”
After being notified of the incident, the NBA is working with the third-party service provider as part of the ongoing investigation and has engaged the services of external cybersecurity experts to evaluate the scope of the impact.
Fans are warned to beware of phishing attacks
The NBA also warns that, due to the sensitive nature of the data involved, there is a higher possibility that affected individuals may be targeted in phishing attacks and various scams.
Affected fans are strongly encouraged to remain vigilant when opening suspicious emails or communications that may appear to come from the NBA or its partners.
“Due to the nature of the information, you may be at increased risk of receiving ‘phishing’ emails from email accounts that appear to be affiliated with the NBA, or being targeted by other so-called ‘social engineering’ attacks ( where an individual seeks to trick the target into sharing confidential information or otherwise taking actions contrary to his or her own interests,” the NBA said.
The notification emails added that the NBA will never request fans’ account information, including usernames or passwords, via email.
Affected fans are also advised to verify that emails received were sent from a legitimate “@nba.com” email address, to check that embedded links point to a trusted website, and never open email attachments they don’t expect to receive.
An NBA spokesperson was unavailable for comment when contacted by BleepingComputer earlier today.