NBA alerts fans after hack of third-party service provider

The National Basketball Association (NBA) said it is contacting fans after an unnamed service provider was hacked.

An NBA spokesperson did not respond to questions about what service provider was hacked and when, but told The Record that the league is now trying to help those affected.

“We were recently made aware that an unauthorized third party gained access to the IT systems of an NBA service provider for mobile app and email communications. As a result, copies of names and email addresses of some NBA fans were captured,” the spokesperson said. The NBA was notified of the incident on March 8.

“There is no impact whatsoever to the NBA’s systems or to the assets held securely at the NBA. The league immediately took action to contain the issue, identify those impacted and communicate potential risks and next steps.”

The incident was first reported by Bleeping Computer, which revealed that emails were sent out to an unspecified number of fans about a “cybersecurity incident.”

The messages say the third-party service provider helped the NBA communicate with fans through email. The league also says that an investigation is ongoing and a cybersecurity firm has been hired to analyze the incident.

The NBA warned that customers should be wary of phishing emails or scams that will take advantage of the breach. Any emails purporting to be from the NBA should be checked to make sure they came from a "@nba.com" email address.

Sports leagues have become ripe targets for hackers as more shift away from cable packages to their own personalized streaming offerings — thus taking on more direct responsibility for protecting data.

The NBA’s Houston Rockets were hit with ransomware in 2021 that allowed for the theft of employee data, contracts, nondisclosure agreements, customer information and more.

The National Football League's San Francisco 49ers are still dealing with the aftermath of a 2022 ransomware attack that took place one week before Super Bowl Sunday. More than 20,000 people had their Social Security numbers leaked in the attack.

Last week, the Justice Department sentenced Joshua Streit to three years in prison after he was convicted by a federal court for illegally accessing and reselling video streams for the NBA, NFL, Major League Baseball and the National Hockey League.

The 31-year-old Minnesota man streamed games on a site named HeHeStreams from 2017 to 2021. He later tried to extort $150,000 from the MLB in exchange for not publicizing the vulnerability he used to hack its website.