Gamblers have been warned of the dangers of email-based scams after information on 800,000 users leaked online.
The leak saw IP addresses, email addresses and online gambling activity for Paddy Power and Betfair leaked online, and security experts have warned that it could be used for targeted phishing attacks.
The incident was confirmed by Flutter, parent company of Paddy Power and Betfair, although the company made clear no passwords or payment details were leaked.
Flutter has advised users: “There is nothing you need to do in response to this incident, however, we recommend you remain vigilant.”
What could happen as a result of this leak?
Experts have warned that the information could be enough for cybercriminals to create highly targeted phishing attacks, playing on people’s fondness for gambling.
“Flutter’s breach response and regulatory notification and transparent communication is commendable. However, usernames, emails, and addresses should not be considered ‘limited’ data,” Javvad Malik, lead security awareness advocate at software company KnowBe4, told Yahoo News.
“Criminals use all information at their disposal to create social engineering attacks. Knowing that potential victims enjoy gambling could enable them to craft campaigns which exploit their behaviours. In such circumstances, even limited data can become weaponised by attackers who want to manipulate the psychology of their victims.
Betfair and Paddy Power are owned by the same company. (PA)
For example, attackers could lead gamblers towards sites resembling the ones they use, but create fake sites to harvest details such as credit card numbers.
Such fake sites can lull visitors into a false sense of security and mean that they are happier to ‘re-enter’ details.
The use of AI in the cybercriminal community has meant it is easier to craft large-scale phishing campaigns, using technology such as ChatGPT to craft convincing emails.
“While Flutter is confident that it has contained the incident and it is over, for the victims whose data has been stolen, the incidents may only just be beginning,” Malik warned.
What caused the Flutter leak?
Flutter has 4.2 million monthly players across its UK and Irish platforms, but has said that the leak did not come from its own systems.
Instead, it was a result of an issue with a third-party provider.
Cybercriminals now commonly target large companies via smaller companies they work with, for instance, by targeting lawyers or accountants that work with a larger organisation.
“While Flutter has stated that the breach did not result from any failure in its own systems but rather from a third-party provider, this distinction will offer little reassurance to affected customers,” Jamie Akhtar, CEO of cybersecurity platform CyberSmart said.
“In an era of connected services and extensive data-sharing, organisations must ensure their security standards extend across the entire supply chain.”
What should users do?
Users should ensure that their devices have up-to-date software and anti-virus, and be highly sceptical of emails, particularly any unexpected emails referencing gambling, Malik advises.
If unexpected emails arrive, do not open files or follow links, and instead call the organisations concerned, or type their address into a browser.
Staying cautious around cybersecurity more generally is also a good idea in such situations – here are some general tips that might come in handy.
Change your password if there’s any way it could be guessed from public information about you – for instance if your email is associated with a social media account where you talk about sport, and the password is related to your football team.
If your email has been hacked, there are a number of steps you should take immediately. If the hackers contact you and either threaten you or offer you back your account in exchange for money, don;t respond. Any action you take may just alert the hacker that you are there.
Another step to take is to reset the password and switch on multi-factor authentication.
This reduces the hacker’s chance of getting into your accounts as they would need access to your other devices to be able to authenticate themselves.
