As it moves into the final stretch of its regular season, the National Basketball Association said over the weekend that “an unauthorized third party” netted a database filled with the names and email addresses of fans.

The data was housed by a newsletter service that it partners with, the NBA noted in a letter to those affected — an all-too-common instance of the risk that third-party vendors can represent for organizations if their security isn’t properly vetted.